CN112968972A

CN112968972A - System and method for maintaining sessions via an intermediary device

Info

Publication number: CN112968972A
Application number: CN202110280340.4A
Authority: CN
Inventors: P·辛格尔
Original assignee: Citrix Systems Inc
Current assignee: Citrix Systems Inc
Priority date: 2015-10-30
Filing date: 2016-10-19
Publication date: 2021-06-15
Also published as: WO2017074766A1; KR102083105B1; EP3369237B1; CN108476231B; US20200382609A1; JP2019502972A; CN108476231A; JP6648265B2; US10785315B2; US11388243B2; KR20180054801A; US20170126812A1; EP3369237A1

Abstract

The present disclosure relates to systems and methods for maintaining sessions via an intermediary device. A first device intermediary to a client and a plurality of servers receives packets of a session. The packets of the session include application protocol data and application session metadata for maintaining the state of applications accessed via the session. The first device marks a session state of the session as an updated state. The first device determines that a second device intermediary to the client and the plurality of servers is in a ready state and that a session state of the session is in an updated state. The first device forwards the packetized application protocol data and application session metadata to the second device to maintain the same state of the application on the second device accessed via the session provided by the first device.

Description

System and method for maintaining sessions via an intermediary device

The present application is a divisional application filed under the title "system and method for maintaining a session via an intermediary device" with application number 201680074638.7, filed 2016, 10/19/2016.

RELATED APPLICATIONS

This application claims the benefit and priority of U.S. non-provisional application No.14/927600 entitled "Systems and methods For Maintaining A Session Via an Intermediary Device", filed on 30/10/2015, which is hereby incorporated by reference in its entirety For all purposes.

Technical Field

The present application relates generally to maintaining a session via an intermediary device. More particularly, the present application relates to a system and method for restoring application sessions when a primary intermediary device fails using a large number of dynamic states maintained in a standby intermediary device.

Background

The client device may access or use an application provided or executed by the server via an intermediary device intermediary to the client device and the server. The intermediary device may establish a session between the client device and the server to provide access to an application executed by the server. As the client device interacts with the application executed by the server during the session, the state of the application changes. However, if the intermediary device fails or stops responding, maintaining session state information and providing the client with access to the application executed by the server may be difficult. Thus, efficiently providing high availability of application resources when a computing device in a computing environment fails or stops responding can be challenging.

Disclosure of Invention

The present disclosure relates to systems and methods for maintaining sessions via an intermediary device. More particularly, the present solution relates to a system and method for restoring application sessions when a primary device fails using a large amount of dynamic state maintained in a standby intermediary device.

The device pairs may be deployed as active-standby device pairs intermediate a plurality of clients and a plurality of servers. For example, the device pair may include a first apparatus in an active mode in which the first apparatus actively services requests from the client by parsing packets received from the client, provides response packets received from the server to the client, or otherwise provides the client with access to an application executed by the server. In some cases, the first device of the pair that is initially configured in the active mode may be referred to as the master device. The pair of devices may include a second apparatus initially configured in a standby mode. The second device may not actively service the request from the client device. The second device may be referred to as a slave device because it is in standby mode and does not actively service requests received from the client or provide responses received from the server to the client. If the master device fails, stops responding, shuts down for periodic maintenance, or is unable to process packets between the client device and the server, the slave device may become the new master device and service the client device by processing client requests.

The device pair (or first or second apparatus thereof) may be configured to perform deep packet inspection on the application traffic. Application traffic may refer to packets received from a client to process or to provide to a server, or packets received from a server to process or to provide to a client. The device may perform deep packet inspection to gain visibility into session state or to facilitate troubleshooting or troubleshooting problems. In such a deployment, a client device accessing an application or desktop session via an application server protocol (e.g., independent computing architecture "ICA") may disconnect from the session if the master fails and the slave becomes the new master. The client device may have to re-log into the session to access an application or desktop session provided by the server via the intermediary device.

The system and method of the present solution can seamlessly resume the affected session on the new master intermediary device. By seamlessly restoring the affected session on the new master intermediary device, the client device may be unaffected by the failure of the original master intermediary device that caused the standby slave device to become the new master device.

For example, a computing network may use a network intermediary device (e.g., manufactured by jie systems limited, of laddolburg, florida) deployed in an active-standby device pair

) To provide high availability of application resources. In active-standby equipment pairs, the first intermediate device is actively engagedThe client device is serviced while the second intermediary device remains in a standby mode. For example, in some embodiments, a first intermediary device may be in an active mode and may parse and process an application session, such as an ICA session. The first intermediary device may be paired with a second intermediary device in a standby mode. The first intermediary device may maintain important state information that may be dynamic and change on a per packet basis (e.g., as each packet is being processed). If the first intermediary device fails, the standby device may become the new primary device. The slave device can become the new master device and continue the session without affecting the user experience provided by the client device.

The device pair (e.g., a first intermediary device, a second intermediary device, or an active-standby intermediary device pair) may be configured to provide visibility of a session between the client device and a server providing the application. For example, the intermediary device may provide visibility into a protocol (e.g., an ICA protocol or a high definition experience "HDX" protocol) for troubleshooting or analysis purposes. To resolve the protocol, one intermediate device in the pair manages a large amount of state information within that device. The state information may include, for example, information resulting from parsing the ICA protocol, parsing the common gateway protocol ("CGP"), decrypting and re-encrypting the ICA frame, or decompressing the ICA frame. Thus, the state information maintained by the intermediate device may be very large (e.g., 5 megabytes, 50 megabytes, 100 megabytes, 500 megabytes, or 1 gigabyte), and this state information may change with one or more packets processed by the intermediate device (e.g., may change with each processed packet).

The master intermediary device may maintain a state for each session in a memory of the master intermediary device. Sharing and updating the state in an external device (e.g., another intermediary device) may be challenging or impossible for the master intermediary device due to the size of the state updated on a per packet basis. If the master intermediary device is unable to share and update the state in the external device, the state maintained in the memory of the master intermediary device may be lost while the master intermediary device is offline. When the master intermediary goes offline, the connections between the master intermediary (e.g., transmission control protocol "TCP" connections) may be reset. When the connection between the client device and the master intermediary device is reset, an agent executing on the client device may initiate a session reconnection. A new connection (e.g., a TCP connection) established via a proxy-initiated session reconnection of a client device may be logged in or established through a new primary intermediary device (e.g., a second intermediary device that was previously in standby mode). If the new master intermediary device does not have state information for the session, the new master intermediary device may not be able to resume the session. The system and method of the present solution may allow a second intermediary device (or slave device) to maintain a state on the second device consistent with the master intermediary device while in standby mode. Thus, when the master intermediary goes offline and the slave intermediary takes over the new master role, the slave intermediary can support and continue session reconnection initiated by the client agent.

In some embodiments, both the master intermediary device and the slave intermediary device may be in a ready state. The ready state may indicate that the device is ready to parse packets carrying application protocol data and application session metadata. During application startup, an agent executing on a client device may issue a request to connect to a backend server or host via a host intermediary device over a protocol connection. The master intermediary may detect the request to initiate the connection and launch an application corresponding to the new protocol connection, and the master intermediary may parse and process the request.

The master intermediary device may detect that the slave intermediary device is in the ready state when the master intermediary device parses and processes a request or other data packet from an agent executing on the client device. In response to detecting that the slave intermediary is in the ready state, the master intermediary may mark the session as an updated state and also forward application protocol data and application session metadata corresponding to the request or data packet to the slave intermediary. The application protocol data and application session metadata may be collectively referred to as application data. Application protocol data may refer to high definition experience ("HDX") protocol data. Application session data may refer to HDX session metadata. The application data may be received from the intermediary device and parsed or application protocol data or application session metadata therein.

Thus, by forwarding application data from the master device to the slave device and instructing the slave device to parse the same application protocol data as the master intermediary device, the systems and methods of the present solution may maintain the same session state in both the master intermediary device and the slave intermediary device of the device pair. By maintaining the same session state in both the master intermediary and the slave intermediary, the slave intermediary may seamlessly take over when the master intermediary fails or otherwise becomes unresponsive. For example, all TCP connections may be reset when the master intermediary device fails. A proxy executing on the client device sends a request to establish a new CGP/ICA connection through a session reconnection procedure. The new connection may be registered with a new master intermediary device (e.g., a slave intermediary device previously in standby mode). The new master intermediary device may examine, process, or analyze the session reconnection to identify and retrieve session state information associated with the session reconnection. When the new master device is the slave intermediary device, the new master device may have created and maintained the session state information via packet retransmission from a previous (e.g., original or initial) master intermediary device.

If at some point in the process the original master intermediary device determines or detects that a slave intermediary device (e.g., a standby device) is not in a ready state (e.g., due to a failure from the intermediary device, a stop response from the intermediary device due to periodic or unscheduled maintenance, or offline), the master intermediary device may mark the session as a deactivated state or a not ready state. When the master intermediary device marks the session as inactive, the master intermediary device may stop, block, prevent, or terminate forwarding of the application protocol data or application session metadata to the slave intermediary device. Thus, if the session is in a deactivated state, the master intermediary device does not forward the application data to the slave intermediary device.

If at some later time the master intermediary device detects a return to an online state or a return to ready state from the intermediary device indicating that the slave intermediary device is ready to parse application protocol data to maintain a session state in the memory of the slave intermediary device, the master intermediary device may mark the session as a session update state. In response to a transition in the session state from the deactivated state to the updated state, the master intermediary device may push, provide, transfer, or otherwise forward the application protocol session state to the slave intermediary device in order to maintain the state from the intermediary device up to date. For example, the master intermediary device may push the complete application protocol session state to the slave intermediary device to keep the slave intermediary device up to date in a single communication. Thereafter, once the slave intermediary device maintains a session state in the memory of the slave intermediary device that matches the session state in the master intermediary device, the master intermediary device may continue to forward or retransmit application data to the slave intermediary device to keep the session state maintained by the slave intermediary device synchronized with the session state of the master intermediary device.

At least one aspect of the present disclosure is directed to a method of maintaining a session via an intermediary device. The method may include maintaining a session via a pair of devices including a first intermediary apparatus and a second intermediary apparatus. In some embodiments, a first device intermediary to a client and a plurality of servers receives packets of a session. The packets of the session include application protocol data and application session metadata for maintaining a state of an application accessed via the session. The first device marks a session state of the session as an updated state. The first device determines that a second device intermediary to the client and the plurality of servers is in a ready state and that a session state of the session is in an updated state. The first device forwards the application protocol data and the application session metadata of the packet to the second device to maintain the same state of the application accessed via the session provided by the first device on the second device. In response to determining that the second device is in the ready state and the session is in the updated state, the first device may forward the application protocol data and the application session metadata to the second device.

The ready state of the second device may indicate that the second device is ready to parse the application protocol data and the application session metadata to maintain the same state of the application accessed via the session provided by the first device in a memory of the second device. The first device may be in an active mode, actively servicing the client, and the second device may be in a standby mode. The first device and the second device may form an active-standby pair.

The first device may parse the packet to proactively serve the client during at least a portion of the session. The second device may be in a standby mode and maintain a state of an application accessed via a session provided by the first device in a memory of the second device while the first device is actively providing services to the client.

The first device may set a first value for a parameter of the session. In response to determining that the second apparatus is in the ready state, the first value may indicate to the first apparatus to forward the application protocol data and the application session metadata to the second apparatus. In response to the first value of the parameter, the first device may forward the packetized application protocol data and application session metadata to the second device. The second device may maintain a state of an application accessed via the session provided by the first device in a session data structure maintained by a memory of the second device. The second device may maintain a state of the application to match a state of an application on the first device accessed via the session.

The second device may resume the session on the second device. The second apparatus may resume the session in response to the first apparatus entering the offline mode. The second device may resume the session using a state of the application accessed via the session that matches a state of the application accessed via the session on the first device before the first device entered the offline mode. The first connection for the session may be reset when the first apparatus enters the offline mode. The second device may then establish a second connection with the client to resume the session.

The first device may establish a session between the client device and a server of the plurality of servers in response to receiving login information from the client. The second device may recover the session in response to a failure of the first device. The second device may resume the session if the second device does not receive login information from the client. In some embodiments, the second device may receive a request from an agent executed by the client to reconnect the session in response to a failure of the first device. The second device may retrieve the state maintained in the memory of the second device. The second device may resume the session using the state retrieved from the memory.

The first device may receive an indication to launch an application. The first device may receive the indication from the client. The first device may be in an active mode to actively provide service to the client. In response to the indication, the first apparatus may initiate a connection to a server of the plurality of servers. The server may be configured to execute the application. The first device may establish a session between the client and the server to provide access to an application executed by the server. The first device may detect that the second device is in a ready state. The first device may forward application protocol data and application session metadata of packets received by the first device during the session to the second device. The first device may forward the application protocol data and the application session metadata in response to detecting that the second device is in the ready state. The first device may forward the application protocol data and the application session metadata to enable the second device to maintain a state of the application accessed via the session in a memory of the second device while the first device parses the packet to provide access to the application executed by the server.

In some cases, the first device may detect that the second device is not in a ready state after or subsequent to the first device forwarding the application protocol data and the application session metadata to the second device. The first device may then set a second value of a parameter of the session to indicate to the first device not to forward the application protocol data and the application session metadata to the second device. The first device may determine not to forward the application protocol data and application session metadata of the second packet of the session received from the client. The first device may make this determination in response to the second value of the parameter.

In some cases, the first device may detect that the second device is in a ready state after determining not to forward the application protocol data and the application session metadata of the second packet. The first device may then push the complete session state to the second device. The complete session state may include application protocol data and application session metadata for the second packet that was not forwarded to the second device. The second device may then use the complete session state to update the state of the application saved in the memory of the second device to match the current session state maintained on the first device.

Another aspect relates to a system for maintaining a session via an intermediary. In some embodiments, the system may include a first device intermediary to a client and a plurality of servers. The first device may include one or more processors and memory. The first device is configured to receive packets of a session, the packets including application protocol data and application session data, for maintaining a state of an application accessed via the session. The first device is configured to mark a session state of the session as an updated state. The first device is configured to determine that a second device intermediary to the client and the plurality of servers is in a ready state and that a session state of the session is an updated state. The first device is configured to forward the application protocol data and the application session metadata of the packet to a second device intermediary to the client and the plurality of servers to maintain a same state of an application accessed via a session provided by the first device on the second device. The first device is configured to forward the application protocol data and the application session metadata of the packet in response to determining that the second device is in the ready state and the session is in the updated state.

The first apparatus may also be configured to parse the packet to proactively provide a service for the client during at least a portion of the session. In some embodiments, the system may include a second device configured to maintain a state of an application accessed via a session provided by the first device in a memory of the second device while the first device is actively providing services to the client. The second device may be in a standby mode.

In some embodiments, the first apparatus may be further configured to set a first value of a parameter of the session that instructs the first apparatus to forward the application protocol data and the application session metadata to the second apparatus in response to determining that the second apparatus is in the ready state. The first apparatus may be further configured to forward the application protocol data and the application session metadata of the packet to the second apparatus in response to the first value of the parameter. The second device may be further configured to maintain a state of an application accessed via the session provided by the first device in a session data structure maintained by a memory of the second device to match a state of the application accessed via the session on the first device.

The second apparatus may be further configured to, in response to the first apparatus entering the offline mode, resume the session on the second apparatus using a state of the application accessed via the session, the state matching a state of the application accessed via the session on the first apparatus before the first apparatus entered the offline mode. The second device may be further configured to receive a request from the client to reconnect the session in response to a failure of the first device. The second device may be configured to retrieve the state maintained in the memory of the second device. The second device may be configured to restore the session state retrieved from the memory.

In some embodiments, the first apparatus may be further configured to receive an indication from the client to launch the application. The first device may be in an active mode to actively provide service to the client. The first apparatus may be configured to initiate a connection to a server of the plurality of servers in response to the indication. The server may be configured to execute the application. The first device may be configured to establish a session between the client and the server to provide access to an application executed by the server. The first device may be configured to detect that the second device is in a ready state. The first apparatus may be configured to forward application protocol data and application session metadata of packets received by the first apparatus to the second apparatus during the session. The first device may forward the data in response to detecting that the second device is in a ready state while the first device parses the packet to provide access to the application executed by the server to enable the second device to maintain a state of the application accessed via the session in a memory of the second device.

The first device may be further configured to detect that the second device is not in a ready state after forwarding the packetized application protocol data and application session metadata to the second device. The first apparatus may be configured to set a second value to the parameter indicating that the first apparatus does not forward the application protocol data and the application session metadata to the second apparatus. The first apparatus may be configured to determine not to forward application protocol data and application session metadata of a second packet of the session received from the client in response to a second value of the parameter.

The first device may be further configured to detect that the second device is in a ready state after determining not to forward the application protocol data and the application session metadata of the second packet. The first device may be configured to provide the complete session state to the second device. The complete session state may include application protocol data and application session metadata for a second packet that is not forwarded to the second device. The second device may also be configured to update the state saved in the memory of the second device with the complete session state to match the current session state maintained on the first device.

Drawings

The foregoing and other objects, aspects, features, and advantages of the invention will become more apparent and more readily appreciated by reference to the following description taken in conjunction with the accompanying drawings in which:

FIG. 1A is a block diagram of an embodiment of a network environment in which a client accesses a server via a device;

FIG. 1B is a block diagram of an embodiment of an environment to transfer a computing environment from a server to a client via a device;

FIG. 1C is a block diagram of yet another embodiment of an environment for transferring a computing environment from a server to a client via a device;

FIG. 1D is a block diagram of yet another embodiment of an environment for transferring a computing environment from a server to a client via a device;

1E-1H are block diagrams of embodiments of computing devices;

FIG. 2A is a block diagram of an embodiment of an apparatus for handling communications between a client and a server;

FIG. 2B is a block diagram of yet another embodiment of an apparatus for optimizing, accelerating, load balancing, and routing communications between a client and a server;

FIG. 3 is a block diagram of an embodiment of a client for communicating with a server via a device;

FIG. 4A is a block diagram of an embodiment of a virtualized environment;

FIG. 4B is a block diagram of yet another embodiment of a virtualized environment;

FIG. 4C is a block diagram of an embodiment of a virtual appliance;

FIG. 5A is a block diagram of an embodiment of a method of implementing a parallelism mechanism in a multi-core system;

FIG. 5B is a block diagram of an embodiment of a system using a multi-core system;

FIG. 5C is a block diagram of another embodiment of aspects of a multi-core system;

FIG. 6 is a block diagram of an embodiment of a cluster system;

FIG. 7A is a block diagram of an embodiment of a system for maintaining a session via an intermediary device;

FIG. 7B is a block diagram of an embodiment of a method of maintaining a session via an intermediary device;

FIG. 8A is a flow diagram of an embodiment of maintaining a session via an intermediary device;

fig. 8B is a flow diagram of an embodiment of maintaining a session via an intermediary.

The features and advantages of the present invention will become more apparent from the detailed description set forth below when taken in conjunction with the drawings, in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements.

Detailed Description

For purposes of reading the description of the various embodiments below, the following descriptions of the sections of the specification and their respective contents are useful:

section a describes a network environment and a computing environment that can be used to implement the embodiments described herein;

section B describes embodiments of systems and methods for communicating a computing environment to a remote user;

section C describes embodiments of systems and methods for accelerating communications between clients and servers;

section D describes embodiments of systems and methods for virtualizing application delivery controllers.

Section E describes embodiments of systems and methods for providing a multi-core architecture and environment; and

section F describes embodiments of systems and methods for providing a clustered device architecture environment; and

section G describes embodiments of systems and methods for maintaining sessions via an intermediary device.

A.Network and computing environment

Before discussing the details of embodiments of systems and methods of devices and/or clients, it is helpful to discuss the network and computing environments in which these embodiments may be deployed. Referring now to FIG. 1A, an embodiment of a network environment is described. In general, a network environment includes one or more clients 102 a-102 n (also generally referred to as local machines 102, or clients 102) in communication with one or more servers 106 a-106 n (also generally referred to as servers 106, or remote machines 106) via one or more networks 104, 104' (generally referred to as networks 104). In some embodiments, the client 102 communicates with the server 106 through the appliance 200.

Although FIG. 1A shows the network 104 and the network 104' between the client 102 and the server 106, the client 102 and the server 106 may be located on the same network 104. The networks 104 and 104' may be the same type of network or different types of networks. Network 104 and/or 104' may be a Local Area Network (LAN), such as a corporate intranet, a Metropolitan Area Network (MAN), or a Wide Area Network (WAN), such as the Internet or world Wide Web. In one embodiment, the network 104 may be a private network and the network 104' may be a public network. In some embodiments, the network 104 may be a private network and the network 104' may be a public network. In yet another embodiment, both networks 104 and 104' may be private networks. In some embodiments, the client 102 may be located in a branch office of a corporate enterprise, communicating with a server 106 located in a corporate data center through a WAN connection over the network 104.

The networks 104 and/or 104' may be any type and/or form of network and may include any of the following: point-to-point networks, broadcast networks, wide area networks, local area networks, telecommunications networks, data communications networks, computer networks, ATM (asynchronous transfer mode) networks, SONET (synchronous optical network) networks, SDH (synchronous digital hierarchy) networks, wireless networks and wired networks. In some embodiments, the network 104 may include a wireless link, such as an infrared channel or satellite band. The topology of the networks 104 and/or 104' may be a bus, star, or ring network topology. The networks 104 and/or 104' and the network topology may be any such networks or network topologies known to those of ordinary skill in the art that may support the operations described herein.

As shown in fig. 1A, device 200 is shown between networks 104 and 104', and device 200 may also be referred to as an interface unit 200 or gateway 200. In some embodiments, the appliance 200 may be located on the network 104. For example, a branch office of a company may deploy the appliance 200 in the branch office. In other embodiments, the appliance 200 may be located on the network 104'. For example, the appliance 200 may be located in a company's data center. In yet another embodiment, multiple appliances 200 may be deployed on the network 104. In some embodiments, multiple appliances 200 may be deployed on the network 104'. In one embodiment, a first appliance 200 communicates with a second appliance 200'. In other embodiments, the appliance 200 may be part of any client 102 or server 106 located on the same or different network 104, 104' as the client 102. One or more appliances 200 may be located at any point in a network or network communication path between a client 102 and a server 106.

In some embodiments, the device 200 comprises any network device known as a Citrix NetScaler device manufactured by Citrix Systems, located at ft. In other embodiments, the device 200 includes any one of the product embodiments known as WebAccelerator and BigIP manufactured by F5 Networks, Inc. located in Seattle, Washington. In yet another embodiment, the appliance 205 comprises any of the DX accelerator platform manufactured by Juniper Networks, Inc. of Sunnyvale, Calif. and/or SSL VPN family of appliances such as SA700, SA2000, SA4000, and SA 6000. In yet another embodiment, device 200 includes any Application acceleration and/or security related device and/or software manufactured by Cisco Systems, Inc. of San Jose, Calif., such as Cisco ACE Application Control Engine Module services (Application Control Engine Module service) software and network modules and the Cisco AVS series Application speed System (Application Velocity System).

In one embodiment, the system may include a plurality of logically grouped servers 106. In these embodiments, the logical grouping of servers may be referred to as a server farm 38. In some of these embodiments, the servers 106 may be geographically dispersed. In some cases, the farm 38 may be managed as a single entity. In other embodiments, the server farm 38 includes a plurality of server farms 38. In one embodiment, a server farm executes one or more applications on behalf of one or more clients 102.

The servers 106 in each farm 38 may be heterogeneous. One or more servers 106 may operate according to one type of operating system platform (e.g., WINDOWS NT manufactured by Microsoft corporation of Redmond, Wash.), while one or more other servers 106 may operate according to another type of operating system platform (e.g., Unix or Linux). The server 106 of each farm 38 need not be physically close to another server 106 within the same farm 38. Thus, the set of servers 106 logically grouped into the farm 38 may be interconnected using a Wide Area Network (WAN) connection or a Metropolitan Area Network (MAN) connection. For example, the farm 38 may include servers 106 physically located on different continents or different areas, countries, states, cities, campuses, or rooms of a continent. If the servers 106 are connected using a Local Area Network (LAN) connection or some form of direct connection, the data transfer speed between the servers 106 in the farm 38 may be increased.

Server 106 may refer to a file server, an application server, a web server, a proxy server, or a gateway server. In some embodiments, the server 106 may have the capability to operate as an application server or as a primary application server. In one embodiment, the server 106 may include an active directory. The clients 102 may also be referred to as client nodes or endpoints. In some embodiments, a client 102 may have the ability to seek access to applications on a server as a client node, and may also have the ability to provide other clients 102a-102n with access to hosted applications as an application server.

In some embodiments, the client 102 communicates with the server 106. In one embodiment, the client 102 communicates directly with one of the servers 106 in the farm 38. In yet another embodiment, the client 102 executes a program neighbor application (program neighbor application) to communicate with the servers 106 within the farm 38. In yet another embodiment, the server 106 provides the functionality of a master node. In some embodiments, the client 102 communicates with the servers 106 in the farm 38 over the network 104. Through the network 104, the client 102 may, for example, request execution of various applications hosted by the servers 106a-106n in the farm 38, and receive output of results of the execution of the applications for display. In some embodiments, only the master node provides the functionality needed to identify and provide address information associated with the server 106' hosting the requested application.

In one embodiment, the server 106 provides the functionality of a web server. In yet another embodiment, the server 106a receives a request from the client 102, forwards the request to a second server 106b, and responds to the client 102 request with a response to the request from the server 106 b. In yet another embodiment, the server 106 obtains an enumeration of applications available to the client 102 and address information associated with the server 106 for the application identified by the enumeration of applications. In yet another embodiment, the server 106 provides a response to the request to the client 102 using a web interface. In one embodiment, the client 102 communicates directly with the server 106 to access the identified application. In yet another embodiment, the client 102 receives application output data, such as display data, generated by execution of an application identified on the server 106.

Referring now to FIG. 1B, an embodiment of a network environment deploying a plurality of appliances 200 is described. The first appliance 200 may be deployed on a first network 104 while the second appliance 200 'is deployed on a second network 104'. For example, a company may deploy a first appliance 200 at a branch office and a second appliance 200' at a data center. In yet another embodiment, the first appliance 200 and the second appliance 200' are deployed on the same network 104 or network 104. For example, a first appliance 200 may be deployed for a first server farm 38, while a second appliance 200 may be deployed for a second server farm 38'. In another example, a first appliance 200 may be deployed at a first branch office and a second appliance 200' at a second branch office. In some embodiments, the first appliance 200 and the second appliance 200' work in conjunction or conjunction with each other to accelerate the transfer of network traffic or applications and data between the client and the server.

Referring now to fig. 1C, yet another embodiment of a network environment is depicted in which the appliance 200 is deployed with one or more other types of appliances, for example, between one or more WAN optimization appliances 205, 205'. For example, a first WAN optimization appliance 205 is shown between networks 104 and 104 ', while a second WAN optimization appliance 205' may be deployed between appliance 200 and one or more servers 106. For example, a company may deploy a first WAN optimization appliance 205 at a branch office and a second WAN optimization appliance 205' at a data center. In some embodiments, the device 205 may be located on the network 104'. In other embodiments, the device 205' may be located on the network 104. In some embodiments, the device 205 'may be located on the network 104' or the network 104 ". In one embodiment, devices 205 and 205' are on the same network. In yet another embodiment, the appliances 205 and 205' are on different networks. In another example, a first WAN optimization appliance 205 may be deployed for a first server farm 38 and a second WAN optimization appliance 205 'may be deployed for a second server farm 38'.

In one embodiment, the appliance 205 is a device for accelerating, optimizing, or otherwise improving the performance, operation, or quality of service of any type and form of network traffic (e.g., traffic to and/or from a WAN connection). In some embodiments, the appliance 205 is a performance enhancing proxy. In other embodiments, the appliance 205 is any type and form of WAN optimization or acceleration device, sometimes referred to as a WAN optimization controller. In one embodiment, device 205 is any of the product embodiments known as WANScaler, available from Citrix Systems, located in ft. In other embodiments, the device 205 comprises any of the product embodiments known as BIG-IP link controllers and WANjet, available from F5 Networks, located in Seattle, washington. In yet another embodiment, the device 205 includes any of the WX and WXC WAN accelerator platforms manufactured by Juniper NetWorks, Sunnyvale, Calif. In some embodiments, device 205 comprises any of the rainbow trout (steelhead) series of WAN optimization devices produced by Riverbed Technology corporation of San Francisco, california. In other embodiments, the appliance 205 comprises any of the WAN-related devices available from Expand Networks, Inc. of Roseland, N.J.. In one embodiment, device 205 comprises any of the WAN-related devices available from packer corporation of Cupertino, Calif., such as the PacketShaper, iSared, and SkyX product embodiments offered by packer. In yet another embodiment, device 205 comprises any WAN-related device and/or software, such as Cisco Wide area network application service software and network modules and Wide area network Engine devices, available from Cisco Systems, Inc. of San Jose, Calif.

In one embodiment, the appliance 205 provides application and data acceleration services for a branch office or remote office. In one embodiment, the device 205 includes optimization of Wide Area File Service (WAFS). In yet another embodiment, the device 205 accelerates the transfer of files, for example, via the Common Internet File System (CIFS) protocol. In other embodiments, the appliance 205 provides caching in memory and/or storage to speed up the transfer of applications and data. In one embodiment, the appliance 205 provides compression of network traffic at any level of the network stack or in any protocol or network layer. In yet another embodiment, the appliance 205 provides transport layer protocol optimization, flow control, performance enhancement or modification and/or management to accelerate the transfer of applications and data over the WAN connection. For example, in one embodiment, the appliance 205 provides Transmission Control Protocol (TCP) optimization. In other embodiments, the appliance 205 provides optimization, flow control, performance enhancement or modification and/or management for any session or application layer protocol.

In yet another embodiment, the device 205 encodes any type and form of data or information into custom or standard TCP and/or IP header fields or optional fields of a network packet to advertise its presence, functionality or capabilities to another device 205'. In yet another embodiment, the device 205 'may communicate with another device 205' using data encoded in TCP and/or IP header fields or options. For example, the devices may use TCP options or IP header fields or options to communicate one or more parameters used by the devices 205, 205' in performing functions such as WAN acceleration or to work in conjunction with each other.

In some embodiments, appliance 200 maintains any information encoded in TCP and/or IP headers and/or optional fields communicated between appliances 205 and 205'. For example, the appliance 200 may terminate a transport layer connection through the appliance 200, such as one between a client and a server through appliances 205 and 205'. In one embodiment, the appliance 200 identifies and stores any encoded information in a transport layer packet sent by the first appliance 205 over a first transport layer connection and communicates the transport layer packet with the encoded information to the second appliance 205' via a second transport layer connection.

Referring now to FIG. 1D, a network environment for transporting and/or operating a computing environment on a client 102 is depicted. In some embodiments, the server 106 includes an application delivery system 190 for delivering computing environments or applications and/or data files to one or more clients 102. In general, a client 10 communicates with a server 106 through a network 104, 104' and a device 200. For example, client 102 may reside in a remote office of a company, such as a branch office, and server 106 may reside in a corporate data center. The client 102 includes a client agent 120 and a computing environment 15. The computing environment 15 may execute or operate an application for accessing, processing, or using data files. The computing environment 15, applications, and/or data files may be transmitted via the appliance 200 and/or the server 106.

In some embodiments, the appliance 200 accelerates the transfer of the computing environment 15, or any portion thereof, to the client 102. In one embodiment, the appliance 200 accelerates the transfer of the computing environment 15 through the application transfer system 190. For example, embodiments described herein may be used to accelerate the transfer of streaming applications (streaming applications) and data files that the applications may process from a corporate central data center to a remote user location, such as a corporate branch office. In yet another embodiment, the appliance 200 accelerates transport layer traffic between the client 102 and the server 106. The appliance 200 may provide acceleration techniques for accelerating any transport layer payload from the server 106 to the client 102, such as: 1) transport layer connection pooling, 2) transport layer connection multiplexing, 3) transport control protocol buffering, 4) compression, and 5) caching. In some embodiments, the appliance 200 provides load balancing of the servers 106 in response to requests from the clients 102. In other embodiments, the appliance 200 acts as a proxy or access server to provide access to one or more servers 106. In yet another embodiment, the appliance 200 provides a secure virtual private network connection, such as an SSL VPN connection, from the first network 104 of the client 102 to the second network 104' of the server 106. In still other embodiments, the appliance 200 provides application firewall security, control, and management of connections and communications between the client 102 and the server 106.

In some embodiments, the application delivery management system 190 provides an application delivery technique that delivers the computing environment to the desktop of a remote or additional user based on a number of execution methods and based on any authentication and authorization policies applied by the policy engine 195. Using these techniques, a remote user may obtain a computing environment from any network connected device 100 and access application and data files stored by a server. In one embodiment, the application delivery system 190 may reside on or execute on the server 106. In yet another embodiment, the application delivery system 190 may reside on or execute on a plurality of servers 106a-106 n. In some embodiments, the application delivery system 190 may execute within the server farm 38. In one embodiment, the server 106 executing the application delivery system 190 may also store or provide applications and data files. In yet another embodiment, a first set of one or more servers 106 may execute the application delivery system 190, while a different server 106n may store or provide application and data files. In some embodiments, each of the application delivery system 190, the application, and the data file may reside or be located on a different server. In yet another embodiment, any portion of the application delivery system 190 may reside, execute, or be stored or distributed to the appliance 200 or multiple appliances.

The client 102 may include a computing environment 15 for executing applications that use or process data files. The client 102 may request applications and data files from the server 106 via the networks 104, 104' and the appliance 200. In one embodiment, the appliance 200 may forward a request from a client 102 to a server 106. For example, the client 102 may not have locally stored or locally accessible applications and data files. In response to the request, the application delivery system 190 and/or the server 106 may deliver the application and the data file to the client 102. For example, in one embodiment, the server 106 may transport the application as an application stream to operate in the computing environment 15 on the client 102.

In some embodiments, the application delivery system 190 comprises Citrix Access Suite from Citrix Systems, Inc^TMOf (e.g. MetaFrame or Citrix Presentation Server)^TM) And/or developed by Microsoft corporation

Any of the Windows terminal services. In one embodiment, the application delivery system 190 may be based on remote computing or based on remote display protocols or otherwiseThe server computer transmits one or more applications to the client 102 or user. In yet another embodiment, the application delivery system 190 may deliver one or more applications to a client or user through an application stream.

In one embodiment, the application delivery system 190 includes a policy engine 195 for controlling and managing access to applications, selection of application execution methods, and delivery of applications. In some embodiments, the policy engine 195 determines one or more applications that a user or client 102 may access. In yet another embodiment, the policy engine 195 determines how the application should be delivered to the user or client 102, e.g., executing a method. In some embodiments, the application delivery system 190 provides a plurality of delivery technologies from which to select a method of application execution, such as server-based computing, local streaming, or delivering an application to the client 120 for local execution.

In one embodiment, the client 102 requests execution of an application and the application delivery system 190, including the server 106, selects a method of executing the application. In some embodiments, the server 106 receives the certificate from the client 102. In yet another embodiment, the server 106 receives a request for an enumeration of available applications from the client 102. In one embodiment, in response to the request or receipt of the certificate, the application delivery system 190 enumerates a plurality of application programs available to the client 102. The application delivery system 190 receives a request to execute the enumerated application. The application delivery system 190 selects one of a predetermined number of methods to execute the enumerated application, such as in response to a policy of a policy engine. The application delivery system 190 may select a method of executing the application such that the client 102 receives application output data generated by executing the application program on the server 106. The application delivery system 190 may select a method of executing the application such that the local machine 10 locally executes the application program after retrieving the plurality of application files including the application. In yet another embodiment, the application delivery system 190 may select a method of executing an application to stream the application to the client 102 over the network 104.

The client 102 may execute, operate, or otherwise provide an application, which may be any type and/or form of software, program, or executable instructions, such as any type and/or form of web browser, web-based client, client-server application, thin-client computing client, ActiveX control, or Java program, or any other type and/or form of executable instructions that may execute on the client 102. In some embodiments, the application may be a server-based or remote-based application executing on the server 106 on behalf of the client 102. In one embodiment, the server 106 may display output to the client 102 using any thin-client or remote display protocol, such as the Independent Computing Architecture (ICA) protocol offered by Citrix Systems, inc., of ft. The application may use any type of protocol, and it may be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client. In other embodiments, the application includes any type of software associated with VoIP communications, such as soft IP telephony. In a further embodiment, the application comprises any application involving real-time data communication, such as an application for streaming video and/or audio.

In some embodiments, the server 106 or server farm 38 may run one or more applications, such as applications that provide thin-client computing or remote display of presentation applications. In one embodiment, the server 106 or server farm 38 acts as an application to execute Citrix Access Suite from Citrix Systems, Inc^TMOf (e.g. MetaFrame or Citrix Presentation Server)^TM) And/or developed by Microsoft corporation

Any of the Windows terminal services. In one embodiment, the application is an ICA client developed by Citrix Systems, Inc. of Fort Lauderdale, Florida. In other embodiments, the application comprises development by Microsoft corporation of Redmond, WashingtonA Remote Desktop (RDP) client. Additionally, the server 106 may run an application, which may be, for example, an application server that provides email services, such as Microsoft Exchange, Web or Internet servers, or desktop sharing servers, or collaboration servers, manufactured by Microsoft corporation of Redmond, Washington. In some embodiments, any application may include any type of hosted service or product, such as GoToMeeting, available from Citrix Online Division, Inc. of Santa Barbara, Calif ^TMWebEx, available from WebEx Inc. of Santa Clara, Calif^TMOr Microsoft Office Live Meeting, available from Microsoft corporation of Redmond, Washington.

Still referring to FIG. 1D, one embodiment of a network environment may include a monitoring server 106A. The monitoring server 106A may include any type and form of performance monitoring service 198. The performance monitoring service 198 may include monitoring, measurement, and/or management software and/or hardware, including data collection, aggregation, analysis, management, and reporting. In one embodiment, the performance monitoring service 198 includes one or more monitoring agents 197. The monitoring agent 197 includes any software, hardware, or combination thereof for performing monitoring, measurement, and data collection activities on devices such as the client 102, the server 106, or the

appliances

200 and 205. In some embodiments, the monitoring agent 197 includes any type and form of script, such as Visual Basic script or Javascript. In one embodiment, the monitoring agent 197 executes transparently with respect to any application and/or user of the device. In some embodiments, the monitoring agent 197 is installed and operated unobtrusively with respect to the application or client. In yet another embodiment, the installation and operation of the monitoring agent 197 does not require any equipment for the application or device.

In some embodiments, the monitoring agent 197 monitors, measures, and collects data at a predetermined frequency. In other embodiments, the monitoring agent 197 monitors, measures, and collects data based on detecting any type and form of event. For example, the monitoring agent 197 may collect data upon detecting a request for a web page or receiving an HTTP response. In another example, the monitoring agent 197 may collect data upon detection of any user input event, such as a mouse click. The monitoring agent 197 may report or provide any monitored, measured, or collected data to the monitoring service 198. In one embodiment, the monitoring agent 197 sends information to the monitoring service 198 according to a schedule or a predetermined frequency. In yet another embodiment, the monitoring agent 197 sends information to the monitoring service 198 upon detecting an event.

In some embodiments, the monitoring service 198 and/or monitoring agent 197 monitors and measures performance of any network resource or network infrastructure element, such as a client, server farm, appliance 200, appliance 205, or network connection. In one embodiment, the monitoring service 198 and/or monitoring agent 197 performs monitoring and performance measurement of any transport layer connection, such as a TCP or UDP connection. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 monitors and measures network latency. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 measures and monitors bandwidth utilization.

In other embodiments, the monitoring service 198 and/or monitoring agent 197 monitors and measures end-user response times. In some embodiments, the monitoring service 198 performs monitoring and performance measurements of applications. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 performs monitoring and performance measurement of any session or connection to an application. In one embodiment, the monitoring service 198 and/or monitoring agent 197 monitors and measures performance of a browser. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 monitors and measures performance of HTTP-based transactions. In some embodiments, the monitoring service 198 and/or monitoring agent 197 monitors and measures performance of a voice over IP (VoIP) application or session. In other embodiments, the monitoring service 198 and/or monitoring agent 197 monitors and measures performance of a remote display protocol application, such as an ICA client or RDP client. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 monitors and measures the performance of any type and form of streaming media. In a further embodiment, the monitoring Service 198 and/or monitoring agent 197 monitors and measures the performance of a hosted application or Software As a Service (SaaS) delivery model.

In some embodiments, the monitoring service 198 and/or monitoring agent 197 performs monitoring and performance measurement of one or more transactions, requests, or responses related to an application. In other embodiments, the monitoring service 198 and/or monitoring agent 197 monitors and measures any portion of the application layer stack, such as any. NET or J2EE calls. In one embodiment, the monitoring service 198 and/or monitoring agent 197 monitors and measures database or SQL transactions. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 monitors and measures any method, function, or Application Programming Interface (API) calls.

In one embodiment, the monitoring service 198 and/or monitoring agent 197 performs monitoring and performance measurements for the transfer of applications and/or data from a server to a client via one or more appliances, such as appliance 200 and/or appliance 205. In some embodiments, the monitoring service 198 and/or monitoring agent 197 measures and monitors performance of delivery of a virtualized application. In other embodiments, the monitoring service 198 and/or monitoring agent 197 monitors and measures performance of delivery of a streaming application. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 measures and measures performance of transferring and/or executing desktop applications on a client. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 monitors and measures performance of client/server applications.

In one embodiment, the monitoring service 198 and/or monitoring agent 197 is designed and constructed to provide application performance management for the application delivery system 190. For example, the monitoring service 198 and/or monitoring agent 197 may monitor, measure, and manage the performance of applications delivered via a Citrix Presentation Server. In this example, the monitoring service 198 and/or monitoring agent 197 monitors individual ICA sessions. The monitoring service 198 and/or monitoring agent 197 may measure total and per session system resource usage, as well as application and networking performance. The monitoring service 198 and/or monitoring agent 197 may identify an active server (active server) for a given user and/or user session. In some embodiments, the monitoring service 198 and/or monitoring agent 197 monitors backend connections between the application delivery system 190 and applications and/or database servers. The monitoring service 198 and/or monitoring agent 197 may measure network latency, delay, and capacity for each user session or ICA session.

In some embodiments, the monitoring service 198 and/or monitoring agent 197 measures and monitors memory usage, such as total memory usage, per user session, and/or per process, for the application delivery system 190. In other embodiments, the monitoring service 198 and/or monitoring agent 197 measures and monitors CPU usage of the application delivery system 190, such as total CPU usage, per user session, and/or per process. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 measures and monitors the time required to log into an application, server, or application delivery system, such as a Citrix presentation server. In one embodiment, the monitoring service 198 and/or monitoring agent 197 measures and monitors the duration of time a user logs into an application, server, or application delivery system 190. In some embodiments, the monitoring service 198 and/or monitoring agent 197 measures and monitors the active and inactive session counts of an application, server, or application delivery system session. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 measures and monitors user session latency.

In further embodiments, the monitoring service 198 and/or monitoring agent 197 measures and monitors any type and form of server metrics. In one embodiment, the monitoring service 198 and/or monitoring agent 197 measures and monitors metrics related to system memory, CPU usage, and disk storage. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 measures and monitors metrics related to page faults, such as page faults per second. In other embodiments, the monitoring service 198 and/or monitoring agent 197 measures and monitors metrics of round trip time. In yet another embodiment, the monitoring service 198 and/or monitoring agent 197 measures and monitors metrics related to application crashes, errors, and/or outages.

In some embodiments, the monitoring service 198 and monitoring agent 198 include any of the product embodiments known as EdgeSight, available from Citrix Systems, located in ft. In yet another embodiment, the performance monitoring service 198 and/or monitoring agent 198 includes any portion of a product embodiment known as the TrueView product suite, marketed by Symphoniq, Inc. of Palo Alto, Calif. In one embodiment, the performance monitoring service 198 and/or monitoring agent 198 includes any portion of an embodiment of a product known as the TeaLeaf cx product suite, available from TeaLeaf technology corporation, San Francisco, california. In other embodiments, the Performance monitoring service 198 and/or monitoring agent 198 comprises any portion of commercial service management products, such as BMC Performance managers and Patrol products (BMC Performance managers and control products), produced by BMC software corporation, Houston, Tex.

The client 102, server 106, and appliance 200 may be deployed and/or executed on any type and form of computing device, such as a computer, network device, or apparatus capable of communicating over any type and form of network and performing the operations described herein. FIGS. 1E and 1F depict block diagrams of a computing device 100 that may be used to implement embodiments of a client 102, server 106, or appliance 200. As shown in fig. 1E and 1F, each computing device 100 includes a central processing unit 101 and a main memory unit 122. As shown in FIG. 1E, the computing device 100 may include a visual display device 124, a keyboard 126, and/or a pointing device 127, such as a mouse. Each computing device 100 may also include other optional elements, such as one or more input/output devices 130 a-130 b (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 101.

Central processing unit 101 is any logic circuitry that responds to and processes instructions fetched from main memory unit 122. In many embodiments, the central processing unit is provided by a microprocessor unit, such as: a microprocessor unit manufactured by Intel corporation of Mountain View, Calif.; a microprocessor unit manufactured by Motorola corporation of Schaumburg, illinois; microprocessor units manufactured by Transmeta corporation of Santa Clara, california; RS/6000 processors manufactured by International Business Machines corporation of White Plains, N.Y.; or a microprocessor unit manufactured by Advanced Micro Devices, inc. Computing device 100 may be based on any of these processors, or any other processor capable of operating as described herein.

The main memory unit 122 may be one or more memory chips capable of storing data and allowing the microprocessor 101 to directly access any memory location, such as Static Random Access Memory (SRAM), burst SRAM or synchronous burst SRAM (bsram), dynamic random access memory DRAM, fast page mode DRAM (fpm DRAM), enhanced DRAM (edram), extended data output ram (edo ram), extended data output DRAM (edo DRAM), burst extended data output DRAM (bedo DRAM), enhanced DRAM (edram), Synchronous DRAM (SDRAM), JEDEC SRAM, PC100 SDRAM, double data rate SDRAM (ddr SDRAM), enhanced SRAM (esdram), synchronous link DRAM (sldram), direct memory bus DRAM (drdram), or ferroelectric ram (fram). The main memory 122 may be based on any of the memory chips described above, or any other available memory chip capable of operating as described herein. In the embodiment shown in FIG. 1E, the processor 101 communicates with main memory 122 via a system bus 150 (described in more detail below). FIG. 1E depicts an embodiment of a computing device 100 in which the processor communicates directly with main memory 122 through a memory port 103. For example, in FIG. 1F, the main memory 122 may be a DRDRAM.

FIG. 1F depicts an embodiment in which the main processor 101 communicates directly with cache memory 140 over a second bus, sometimes referred to as a back-side bus. In other embodiments, the main processor 101 communicates with the cache memory 140 using the system bus 150. Cache memory 140 typically has a faster response time than main memory 122 and is typically provided by SRAM, BSRAM, or EDRAM. In the embodiment shown in FIG. 1F, the processor 101 communicates with a plurality of I/O devices 130 over a local system bus 150. The central processing unit 101 may be connected to any of the I/O devices 130 using a variety of different buses, including a VESA VL bus, an ISA bus, an EISA bus, a Microchannel architecture (MCA) bus, a PCI-X bus, a PCI-Express bus, or a NuBus. For embodiments in which the I/O device is a video display 124, the processor 101 may use an Advanced Graphics Port (AGP) to communicate with the display 124. FIG. 1F illustrates one embodiment of the computer 100 in which the host processor 101 communicates directly with the I/O device 130 via HyperTransport, fast I/O, or InfiniBand. FIG. 1F also depicts an embodiment in which local buses and direct communication are mixed: the processor 101 communicates with the I/O device 130b using a local interconnect bus while communicating directly with the I/O device 130 a.

The computing device 100 may support any suitable installation device 116, such as a floppy disk drive for receiving a floppy disk, such as a 3.5 inch, 5.25 inch disk, or ZIP disk, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives of various formats, USB devices, hard drives, or any other device suitable for installing software and programs like any client agent 120 or portion thereof. The computing device 100 may also include a storage device 128, such as one or more hard disk drives or redundant arrays of independent disks, for storing an operating system and other related software, and for storing application software programs, such as any program related to the client agent 120. Alternatively, any of the mounting devices 116 may be used as the storage device 128. In addition, operating systems and software may run from a bootable medium, such as a bootable CD, for example

A bootable CD for GNU/Linux, available as a distribution edition of GNU/Linux from knoppix.

Further, computing device 100 may include network interface 118 to interface to a Local Area Network (LAN), Wide Area Network (WAN) or the Internet through various connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56kb, X.25), broadband connections (e.g., ISDN, frame Relay, ATM), wireless connections, or some combination of any or all of the above. The network interface 118 may include a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem, or any other device suitable for interfacing the computing device 100 to any type of network capable of communication and performing the operations described herein. Various I/O devices 130a-130n may be included in the computing device 100. Input devices include keyboards, mice, touch pads, trackballs, microphones, and graphics tablets. Output devices include video displays, speakers, inkjet printers, laser printers, and dye sublimation printers. As shown in FIG. 1E, I/O device 130 may be controlled by I/O controller 123. The I/O controller may control one or more I/O devices, such as a keyboard 126 and a pointing device 127 (e.g., a mouse or light pen). Further, the I/O devices may also provide storage 128 and/or installation media 116 for the computing device 100. In other embodiments, the computing device 100 may provide a USB connection to receive a handheld USB storage device, such as a USB flash drive family device manufactured by Twintech Industry, Inc. of Los Alamitos, Calif.

In some embodiments, computing device 100 may include or be connected to multiple display devices 124a-124n, each of which may be of the same or different types and/or forms. Thus, any one of the I/O devices 130a-130n and/or the I/O controller 123 may include any type and/or form of appropriate hardware, software, or combination of hardware and software to support, enable, or provide for connection and use of multiple display devices 124a-124n by the computing device 100. For example, the computing device 100 may include any type and/or form of video adapter, video card, driver, and/or library to interface with, communicate with, connect to, or otherwise use the display devices 124a-124 n. In one embodiment, the video adapter may include multiple connectors to interface with multiple display devices 124a-124 n. In other embodiments, computing device 100 may include multiple video adapters, each connected to one or more of display devices 124a-124 n. In some embodiments, any portion of the operating system of the computing device 100 may be configured to use multiple displays 124a-124 n. In other embodiments, one or more of the display devices 124a-124n may be provided by one or more other computing devices, such as

computing devices

100a and 100b connected to computing device 100 over a network, for example. These embodiments may include any type of software designed and configured to use another computer's display device as the second display device 124a of the computing device 100. Those of ordinary skill in the art will recognize and appreciate various methods and embodiments by which the computing device 100 may be configured with multiple display devices 124a-124 n.

In further embodiments, the I/O device 130 may be a bridge 170 between the system bus 150 and an external communication bus, such as a USB bus, Apple desktop bus, RS-232 serial connection, SCSI bus, FireWire800 bus, Ethernet bus, AppleTalk bus, gigabit Ethernet bus, asynchronous transfer mode bus, HIPPI bus, super HIPPI bus, SerialPlus bus, SCI/LAMP bus, fibre channel bus, or serial SCSI bus.

Computing devices 100 of the type depicted in FIGS. 1E and 1F typically operate under the control of an operating system that controls the scheduling of tasks and access to system resources. Computing device 100 may run any operating system, such as

Windows operating system, different releases of Unix and Linux operating systems, any version of MAC for Macintosh computers

Any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating system for a mobile computing device, or any other operating system capable of running on a computing device and performing the operations described herein. Typical operating systems include: WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS 2000, WINDOWS NT 3.51, WINDOWS NT 4.0, WINDOWS CE and WINDOWS XP, all of which are available from Microsoft corporation of Redmond, Washington; from Cupert, California MacOS of ino apple computer products; OS/2, available from International Business machines corporation, Armonk, N.Y.; and the freely available Linux operating system or any type and/or form of Unix operating system, as distributed by the Caldera corporation of Salt Lake City, utah, among others.

In other embodiments, the computing device 100 may have a different processor, operating system, and input device consistent with the device. For example, in one embodiment, computer 100 is a Treo180, 270, 1060, 600, or 650 smart phone, available from Palm corporation. In this embodiment, the Treo smartphone operates under the control of the PalmOS operating system and includes a stylus input device and a five-way navigation device. Further, the computing device 100 may be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile phone, any other computer, or other form of computing or telecommunication device capable of communication and having sufficient processor power and storage capacity to perform the operations described herein.

As shown in fig. 1G, computing device 100 may include multiple processors and may provide functionality for executing multiple instructions simultaneously or one instruction simultaneously on more than one piece of data. In some embodiments, computing device 100 may include a parallel processor with one or more cores. In one of these embodiments, computing device 100 is a shared memory parallel device having multiple processors and/or multiple processor cores, accessing all available memory as a global address space. In yet another of these embodiments, the computing device 100 is a distributed memory parallel device having multiple processors, each processor accessing a local memory. In yet another of these embodiments, the computing device 100 has both shared memory and memory that is only accessed by a particular processor or subset of processors. In yet another of these embodiments, a computing device 100, such as a multi-core microprocessor, combines two or more independent processors in a single package, typically in a single Integrated Circuit (IC). In yet another of these embodiments, the computing device 100 comprises a chip having a CELL BROADBAND ENGINE (CELL broad ENGINE) architecture, and includes a high-power processor unit and a plurality of co-processing units coupled together by an internal high-speed bus, which may be referred to as a CELL interconnect bus.

In some embodiments, a processor provides functionality for executing a Single Instruction (SIMD) on multiple pieces of data simultaneously. In other embodiments, the processor provides functionality for executing Multiple Instructions (MIMD) simultaneously on multiple pieces of data. In yet another embodiment, a processor may use any combination of SIMD and MIMD cores in a single device.

In some embodiments, computing device 100 may include an image processing unit. In one of these embodiments, shown in FIG. 1H, the computing device 100 includes at least one central processing unit 101 and at least one image processing unit. In yet another of these embodiments, the computing device 100 includes at least one parallel processing unit and at least one image processing unit. In yet another of these embodiments, the computing device 100 includes multiple processing units of any type, one of which includes an image processing unit.

In some embodiments, the first computing device 100a executes an application on behalf of a user of the client computing device 100 b. In yet another embodiment, the computing device 100 executes a virtual machine that provides an execution session in which applications are executed on behalf of a user of the client computing device 100 b. In one of these embodiments, the execution session is a hosted desktop session. In yet another of these embodiments, the computing device 100 executes a terminal services session. The terminal services session may provide a hosted desktop environment. In yet another of these embodiments, the execution session provides access to a computing environment that may include one or more of the following: an application, a plurality of applications, a desktop application, and a desktop session in which one or more applications may execute.

B.Device architecture

Fig. 2A illustrates one example embodiment of a device 200. The appliance 200 architecture of fig. 2A is provided for purposes of example only and is not intended as a limiting architecture. As shown in FIG. 2, the appliance 200 includes a hardware layer 206 and a software layer divided into a user space 202 and a kernel space 204.

The hardware layer 206 provides the hardware elements on which programs and services in the kernel space 204 and the user space 202 are executed. The hardware layer 206 also provides structures and elements that allow programs and services within the kernel space 204 and the user space 202 to communicate data both internally and externally with respect to the appliance 200. As shown in FIG. 2, the hardware layer 206 includes a processing unit 262 for executing software programs and services, a memory 264 for storing software and data, a network port 266 for transmitting and receiving data over a network, and an encryption processor 260 for performing functions associated with the secure socket protocol layer to process data transmitted and received over the network. In some embodiments, the central processing unit 262 may perform the functions of the encryption processor 260 in a separate processor. Additionally, hardware layer 206 may include multiple processors for each processing unit 262 and encryption processor 260. Processor 262 may include any of processors 101 described above in connection with fig. 1E and 1F. For example, in one embodiment, the device 200 includes a first processor 262 and a second processor 262'. In other embodiments, processor 262 or 262' includes a multicore processor.

Although the hardware layer 206 of the appliance 200 is shown with a cryptographic processor 260 in general, the processor 260 may be a processor that performs functions involving any cryptographic protocol, such as a Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocol. In some embodiments, processor 260 may be a General Purpose Processor (GPP), and in further embodiments, may be executable instructions for performing any security-related protocol processing.

Although the hardware layer 206 of the apparatus 200 in fig. 2 includes certain elements, the hardware portions or components of the apparatus 200 may include any type and form of elements, hardware, or software of a computing device, such as the computing device 100 shown and discussed herein in connection with fig. 1E and 1F. In some embodiments, the device 200 may comprise a server, gateway, router, switch, bridge, or other type of computing or networking device, and possess any hardware and/or software elements associated therewith.

The operating system of device 200 allocates, manages, or otherwise separates available system memory into kernel space 204 and user space 204. In the example software architecture 200, the operating system may be any type and/or form of Unix operating system, although the invention is not so limited. In this way, the device 200 may run any operating system, such as any version

Windows operating system, different versions of the Unix and Linux operating systems, any version of the Macintosh computer's Mac

Any embedded operating system, any network operating system, any real-time operating system, any open source operating system, any special purpose operating system, any operating system for a mobile computing device or a network device, or any other operating system capable of running on the apparatus 200 and performing the operations described herein.

Kernel space 204 is reserved for running kernel 230, and kernel 230 includes any device drivers, kernel extensions, or other kernel-related software. As known to those skilled in the art, the kernel 230 is the core of the operating system and provides access, control, and management of resources and associated hardware elements of the device 104. According to an embodiment of the apparatus 200, the kernel space 204 also includes a plurality of network services or processes working in conjunction with a cache manager 232, the cache manager 232 sometimes also referred to as an integrated cache, the benefits of which are described in further detail herein. Additionally, embodiments of the kernel 230 will depend on the embodiment of the operating system installed, configured, or otherwise used by the appliance 200.

In one embodiment, the appliance 200 includes a network stack 267, such as a TCP/IP based stack, for communicating with the client 102 and/or the server 106. In one embodiment, the network stack 267 is used to communicate with a first network (e.g., network 108) and a second network 110. In some embodiments, the appliance 200 terminates the first transport layer connection, e.g., a TCP connection of the client 102, and establishes a second transport layer connection used by the client 102 to the server 106, e.g., terminates the second transport layer connection between the appliance 200 and the server 106. The first and second transport layer connections may be established through separate network stacks 267. In other embodiments, the appliance 200 may include multiple network stacks, such as 267 or 267 ', and the first transport layer connection may be established or terminated on one network stack 267 and the second transport layer connection may be established or terminated on a second network stack 267'. For example, one network stack may be used to receive and transmit network packets on a first network and another network stack may be used to receive and transmit network packets on a second network. In one embodiment, the network stack 267 includes a buffer 243 for queuing one or more network packets for transmission by the appliance 200.

As shown in FIG. 2, the kernel space 204 includes a cache manager 232, a high speed layer 2-7 integrated packet engine 240, an encryption engine 234, a policy engine 236, and multi-protocol compression logic 238. Running these components or processes 232, 240, 234, 236, and 238 in kernel space 204 or kernel mode instead of user space 202 improves the performance of each of these components individually and in combination. Kernel operation means that these components or processes 232, 240, 234, 236 and 238 run in the kernel address space of the operating system of the appliance 200. For example, running the encryption engine 234 in kernel mode may improve encryption performance by moving encryption and decryption operations to the kernel, which may reduce the amount of transfers between memory space or kernel threads in kernel mode and memory space or threads in user mode. For example, data obtained in kernel mode may not need to be transferred or copied to a process or thread running in user mode, e.g., from a kernel-level data structure to a user-level data structure. In another aspect, the number of context switches between kernel mode and user mode may also be reduced. Additionally, synchronization and communication among any of the components or processes 232, 240, 235, 236, and 238 may be performed more efficiently in kernel space 204.

In some embodiments, any portion of the

components

232, 240, 234, 236, and 238 may run or operate in the kernel space 204, while other portions of these

components

232, 240, 234, 236, and 238 may run or operate in the user space 202. In one embodiment, the appliance 200 uses a kernel-level data structure to provide access to any portion of one or more network packets, e.g., network packets that include a request from a client 102 or a response from a server 106. In some embodiments, the kernel-level data structure may be obtained by the packet engine 240 through a transport layer driver interface or filter to the network stack 267. The kernel-level data structure may include any interface and/or data accessible through the kernel space 204 associated with the network stack 267, network traffic or packets received or sent by the network stack 267. In other embodiments, any of the components or processes 232, 240, 234, 236, and 238 may use the kernel-level data structure to perform the required operations of the component or process. In one example, the

components

232, 240, 234, 236, and 238 run in kernel mode 204 when a kernel-level data structure is used, while in yet another embodiment, the

components

232, 240, 234, 236, and 238 run in user mode when a kernel-level data structure is used. In some embodiments, the kernel-level data structure may be copied or passed to a second kernel-level data structure, or any desired user-level data structure.

The cache manager 232 may include software, hardware, or any combination of software and hardware to provide cache access, control, and management of any type and form of content, such as objects or dynamically generated objects serviced by the origin server 106. The data, objects, or content processed and stored by the cache manager 232 may include data in any format (e.g., markup language), or any type of data communicated via any protocol. In some embodiments, the cache manager 232 replicates original data stored elsewhere or previously computed, generated, or transmitted data, where longer access times are required to fetch, compute, or otherwise obtain the original data relative to reading the cache memory elements. Once the data is stored in the cache storage element, subsequent operations can be performed by accessing the cached copy rather than retrieving or recalculating the original data, thus reducing access time. In some embodiments, the cache elements may comprise data objects in the memory 264 of the appliance 200. In other embodiments, the cache storage element may comprise memory having a faster access time than memory 264. In yet another embodiment, the cache element may comprise any type and form of storage element of the device 200, such as a portion of a hard disk. In some embodiments, the processing unit 262 may provide cache memory for use by the cache manager 232. In yet another embodiment, the cache manager 232 may cache data, objects, or other content using any portion and combination of memory, storage, or processing units.

Additionally, the cache manager 232 includes any logic, functions, rules, or operations for performing any embodiment of the techniques of the appliance 200 described herein. For example, the cache manager 232 includes logic or functionality to invalidate objects based on the expiration of an invalidation time period, or receiving an invalidation command from the client 102 or server 106. In some embodiments, the cache manager 232 may operate as a program, service, process, or task executing in the kernel space 204, and in other embodiments, in the user space 202. In one embodiment, a first portion of the cache manager 232 executes in the user space 202 and a second portion executes in the kernel space 204. In some embodiments, the cache manager 232 may comprise any type of General Purpose Processor (GPP), or any other type of integrated circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Device (PLD), or an Application Specific Integrated Circuit (ASIC).

The policy engine 236 may include, for example, a smart statistics engine or other programmable application. In one embodiment, the policy engine 236 provides a configuration mechanism to allow a user to identify, specify, define, or configure a caching policy. The policy engine 236, in some embodiments, also accesses memory to support data structures, such as a backup table or a hash table, to enable user-selected cache policy decisions. In other embodiments, policy engine 236 may include any logic, rules, functions, or operations to determine and provide access, control, and management of objects, data, or content cached by appliance 200, in addition to access, control, and management of security, network traffic, network access, compression, or any other function or operation performed by appliance 200. Other embodiments of particular cache policies are described further herein.

The encryption engine 234 comprises any logic, business rules, functions, or operations for handling the processing of any security-related protocol, such as SSL or TLS, or any function involved therein. For example, the encryption engine 234 encrypts and decrypts network packets, or any portion thereof, that are transmitted through the appliance 200. The encryption engine 234 may also set up or establish SSL or TLS connections on behalf of the clients 102a-102n, servers 106a-106n, or the appliance 200. Thus, the encryption engine 234 provides offloading and acceleration of SSL processing. In one embodiment, the encryption engine 234 uses a tunneling protocol to provide a virtual private network between the clients 102a-102n and the servers 106a-106 n. In some embodiments, the encryption engine 234 is in communication with an encryption processor 260. In other embodiments, the encryption engine 234 comprises executable instructions running on the encryption processor 260.

The multi-protocol compression engine 238 comprises any logic, business rules, functions, or operations for compressing one or more network packet protocols (e.g., any protocols used by the network stack 267 of the appliance 200). In one embodiment, the multi-protocol compression engine 238 bi-directionally compresses any TCP/IP based protocol between the clients 102a-102n and the servers 106a-106n, including Messaging Application Programming Interface (MAPI) (email), File Transfer Protocol (FTP), HyperText transfer protocol (HTTP), Common Internet File System (CIFS) protocol (file transfer), Independent Computing Architecture (ICA) protocol, Remote Desktop Protocol (RDP), Wireless Application Protocol (WAP), Mobile IP protocol, and Voice over Internet protocol (VoIP) protocol. In other embodiments, the multi-protocol compression engine 238 provides compression of hypertext markup language (HTML) based protocols, and in some embodiments, compression of any markup language, such as extensible markup language (XML). In one embodiment, the multi-protocol compression engine 238 provides compression of any high performance protocol, such as any protocol designed for appliance 200-to-appliance 200 communication. In yet another embodiment, the multi-protocol compression engine 238 uses a modified transmission control protocol to compress any payload of any communication or any communication, such as transactional TCP (T/TCP), TCP with selective acknowledgement (TCP-SACK), TCP with large window (TCP-LW), congestion prediction protocols such as TCP-Vegas protocol, and TCP spoofing protocol (TCP spoofing protocol).

Likewise, the multi-protocol compression engine 238 speeds up the performance of accessing applications for users via desktop clients, such as Micosoft Outlook, and non-web thin clients, such as any client enabled by general purpose enterprise applications like Oracle, SAP, and Siebel, for example, palm top computers. In some embodiments, the multi-protocol compression engine 238, by executing within the kernel mode 204 and integrating with the packet processing engine 240 accessing the network stack 267, may compress any protocol carried by the TCP/IP protocol, such as any application layer protocol.

The high speed layer 2-7 integrated packet engine 240, also commonly referred to as a packet processing engine, or packet engine, is responsible for the management of kernel-level processing of packets received and transmitted by the appliance 200 through the network port 266. The high speed layer 2-7 integrated packet engine 240 may include a buffer for queuing one or more network packets during processing of, for example, a receive network packet and a transmit network packet. In addition, the high speed layer 2-7 integrated packet engine 240 communicates with one or more network stacks 267 to send and receive network packets through the network port 266. The high-speed layer 2-7 integrated packet engine 240 works in conjunction with the encryption engine 234, cache manager 232, policy engine 236, and multi-protocol compression logic 238. More specifically, encryption engine 234 is configured to perform SSL processing of packets, policy engine 236 is configured to perform functions related to traffic management, such as request-level content switching and request-level cache redirection, and multi-protocol compression logic 238 is configured to perform functions related to data compression and decompression.

The high speed layer 2-7 integrated packet engine 240 includes a packet processing timer 242. In one embodiment, the packet processing timer 242 provides one or more time intervals to trigger input processing, e.g., receiving or outputting (i.e., transmitting) network packets. In some embodiments, the high speed layer 2-7 integrated packet engine 240 processes network packets in response to a timer 242. The packet processing timer 242 provides any type and form of signal to the packet engine 240 to notify, trigger, or transmit a time-related event, interval, or occurrence. In many embodiments, the packet processing timer 242 operates on the order of milliseconds, such as 100ms, 50ms, or 25 ms. For example, in some instances, the packet processing timer 242 provides a time interval or otherwise causes network packets to be processed by the high speed layer 2-7 integrated packet engine 240 at 10ms intervals, while in other embodiments, the high speed layer 2-7 integrated packet engine 240 is caused to process network packets at 5ms intervals, and in further embodiments, as short as 3, 2, or 1ms intervals. The high speed layer 2-7 integrated packet engine 240 may be connected, integrated, or in communication with the encryption engine 234, the cache manager 232, the policy engine 236, and the multi-protocol compression engine 238 during operation. Thus, any logic, functions, or operations of the encryption engine 234, cache manager 232, policy engine 236, and multi-protocol compression engine 238 may be performed in response to the packet processing timer 242 and/or the packet engine 240. Thus, at the granularity of the time interval provided by the packet processing timer 242, any logic, functions, or operations of the encryption engine 234, cache manager 232, policy engine 236, and multi-protocol compression engine 238 may be performed, e.g., the time interval is less than or equal to 10 ms. For example, in one embodiment, the cache manager 232 may perform the termination of any cached objects in response to the high speed layer 2-7 integrated packet engine 240 and/or the packet handling timer 242. In yet another embodiment, the expiration or invalidation time of the cached objects is set to the same level of granularity as the time interval of the packet processing timer 242, e.g., every 10 ms.

Unlike kernel space 204, user space 202 is a storage area or portion of an operating system used by user mode applications or programs running in user mode. User mode applications cannot access kernel space 204 directly but use service calls to access kernel services. As shown in FIG. 2, the user space 202 of the device 200 includes a Graphical User Interface (GUI)210, a Command Line Interface (CLI)212, a shell service 214, a health monitor 216, and a daemon service 218. GUI210 and CLI212 provide a means by which a system administrator or other user can interact and control the operation of appliance 200, such as through the operating system of appliance 200. The GUI210 and CLI212 may comprise code running in the user space 202 or kernel framework 204. The GUI210 may be any type or form of graphical user interface that may be presented by any type of program or application (e.g., a browser) through text, graphics, or other forms. CLI212 may be any type and form of command line or text-based interface, such as a command line provided by an operating system. For example, the CLI212 may include a shell, which is a tool that enables a user to interact with an operating system. In some embodiments, the CLI212 may be provided by a bash, csh, tcsh, or ksh type of shell. Shell services 214 include programs, services, tasks, processes, or executable instructions to support interaction with device 200 or an operating system by a user through GUI210 and/or CLI 212.

The health monitoring program 216 is used to monitor, check, report and ensure that the network system is functioning properly and that the user is receiving requested content over the network. The health monitoring program 216 includes one or more programs, services, tasks, processes, or executable instructions that provide logic, rules, functions, or operations for monitoring any behavior of the device 200. In some embodiments, the health monitor 216 intercepts and inspects any network traffic passing through the appliance 200. In other embodiments, the health monitor 216 interfaces with one or more of the following devices by any suitable method and/or mechanism: encryption engine 234, cache manager 232, policy engine 236, multi-protocol compression logic 238, packet engine 240, daemon services 218, and shell services 214. Thus, health monitor 216 may invoke any Application Programming Interface (API) to determine the status, condition, or health of any portion of device 200. For example, the health monitoring program 216 may periodically ping or send status queries to check whether a program, process, service, or task is active and currently running. In yet another embodiment, the health monitoring program 216 may examine any status, error, or history log provided by any program, process, service, or task to determine any condition, status, or error of any portion of the appliance 200.

The daemon service 218 is a program that runs continuously or in the background and processes periodic service requests received by the device 200. In some embodiments, the daemon service may forward the request to other programs or processes (e.g., another daemon service 218 as appropriate). As is well known to those skilled in the art, the daemon service 218 may operate unattended to perform continuous or periodic system wide functions, such as network control, or to perform any required tasks. In some embodiments, one or more daemon services 218 run in the user space 202, while in other embodiments, one or more daemon services 218 run in the kernel space.

Referring now to FIG. 2B, yet another embodiment of the device 200 is depicted. In general, the device 200 provides one or more of the following services, functions or operations: SSL VPN connectivity 280 for communication between one or more clients 102 and one or more servers 106, switching/load balancing 284, domain name service resolution 286, acceleration 288, and application firewalls 290. Each of the servers 106 may provide one or more network-related services 270a-270n (referred to as services 270). For example, the server 106 may provide the http service 270. The appliance 200 includes one or more virtual servers or virtual internet protocol servers, referred to as vservers 275, vSs 275, VIP servers or just VIPs 275a-275n (also referred to herein as vservers 275). The vServer 275 receives, intercepts, or otherwise handles communications between the client 102 and the server 106 depending on the configuration and operation of the appliance 200.

The vServer 275 may comprise software, hardware, or any combination of software and hardware. The vServer 275 may include any type and form of program, service, task, process, or executable instructions that run in the user mode 202, kernel mode 204, or any combination thereof in the appliance 200. The vServer 275 includes any logic, function, rule, or operation to perform any embodiment of the techniques described herein, such as SSL VPN 280, translation/load balancing 284, domain name service resolution 286, acceleration 288, and application firewall 290. In some embodiments, the vServer 275 establishes a connection to the service 270 of the server 106. The service 275 may include any program, application, process, task, or set of executable instructions capable of connecting to and communicating with the appliance 200, client 102, or vServer 275. For example, the service 275 may include a web server, an http server, an ftp, an email, or a database server. In some embodiments, the service 270 is a daemon process or network driver that listens, receives, and/or sends communications for an application, such as an email, a database, or an enterprise application. In some embodiments, the service 270 may communicate on a particular IP address, or IP address and port.

In some embodiments, the vServer 275 applies one or more policies of the policy engine 236 to network communications between the client 102 and the server 106. In one embodiment, the policy is associated with the vServer 275. In yet another embodiment, the policy is based on a user or group of users. In yet another embodiment, the policies are generic and apply to one or more vServers 275a-275n, and any users or groups of users communicating through the appliance 200. In some embodiments, the policy of the policy engine has conditions for applying the policy based on any content of the communication, such as an internet protocol address, a port, a protocol type, a header or field in a packet, or a context of the communication, such as a user, a group of users, a vServer 275, a transport layer connection, and/or an identification or attribute of the client 102 or server 106.

In other embodiments, the appliance 200 communicates or interfaces with the policy engine 236 to determine the authentication and/or authorization of a remote user or remote client 102 to access the computing environment 15, applications, and/or data files from the server 106. In yet another embodiment, the appliance 200 communicates or interacts with the policy engine 236 to determine authentication and/or authorization of a remote user or remote client 102 to cause the application delivery system 190 to deliver one or more computing environments 15, applications, and/or data files. In yet another embodiment, the appliance 200 establishes a VPN or SSL VPN connection based on authentication and/or authorization of the remote user or remote client 102 by the policy engine 236. In one embodiment, the appliance 200 controls network traffic and communication sessions based on policies of the policy engine 236. For example, based on the policy engine 236, the appliance 200 may control access to the computing environment 15, applications, or data files.

In some embodiments, the vServer 275 establishes a transport layer connection, such as a TCP or UDP connection, with the client 102 via the client proxy 120. In one embodiment, the vServer 275 listens for and receives communications from the client 102. In other embodiments, the vServer 275 establishes a transport layer connection, such as a TCP or UDP connection, with the client server 106. In one embodiment, the vServer 275 establishes a transport layer connection to the internet protocol address and port of the server 270 running on the server 106. In yet another embodiment, the vServer 275 associates a first transport layer connection to the client 102 with a second transport layer connection to the server 106. In some embodiments, the vServer 275 establishes a pool of transport layer connections to the servers 106 and multiplexes the client's requests via the pooled (pooled) transport layer connections.

In some embodiments, the appliance 200 provides an SSL VPN connection 280 between the client 102 and the server 106. For example, a client 102 on a first network 102 requests to establish a connection to a server 106 on a second network 104'. In some embodiments, the second network 104' is not routable from the first network 104. In other embodiments, the client 102 is located on a public network 104 and the server 106 is located on a private network 104', such as an enterprise network. In one embodiment, the client agent 120 intercepts communications of the client 102 on the first network 104, encrypts the communications, and sends the communications to the appliance 200 via the first transport layer connection. The appliance 200 associates the first transport layer connection on the first network 104 with the second transport layer connection to the server 106 on the second network 104. The appliance 200 receives the intercepted communication from the client agent 102, decrypts the communication, and sends the communication to the server 106 on the second network 104 via the second transport layer connection. The second transport layer connection may be a pooled transport layer connection. Likewise, the appliance 200 provides an end-to-end secure transport layer connection for the client 102 between the two networks 104, 104'.

In one embodiment, the appliance 200 hosts an intranet internet protocol or IntranetIP 282 address of the client 102 on the virtual private network 104. The client 102 has a local network identifier, such as an Internet Protocol (IP) address and/or a host name on the first network 104. When connected to the second network 104 'via the appliance 200, the appliance 200 establishes, assigns, or otherwise provides an IntranetIP, which is a network identifier such as an IP address and/or host name, for the client 102 over the second network 104'. Using the established intranet ip 282 for the client, the appliance 200 listens on the second or private network 104' for and receives any communications directed to the client 102. In one embodiment, the appliance 200 acts as or on behalf of the client 102 on the second private network 104. For example, in yet another embodiment, the vServer 275 listens for and responds to communications to the IntranetIP 282 of the client 102. In some embodiments, if the computing device 100 on the second network 104' sends a request, the appliance 200 processes the request as if it were the client 102. For example, the device 200 may respond to a ping of the client IntranetIP 282. In yet another embodiment, the appliance may establish a connection, such as a TCP or UDP connection, with the computing device 100 on the second network 104 requesting a connection with the client intranet ip 282.

In some embodiments, the appliance 200 provides one or more of the following acceleration techniques 288 for communications between the client 102 and the server 106: 1) compressing; 2) decompressing; 3) a transmission control protocol pool;

4) transmission control protocol multiplexing; 5) transmission control protocol buffering; and 6) caching. In one embodiment, the appliance 200 relieves servers 106 of the substantial processing load caused by repeatedly opening and closing transport layer connections to clients 102 by opening one or more transport layer connections with each server 106 and maintaining these connections to allow repeated data accesses by clients over the Internet. This technique is referred to herein as "connection pooling".

In some embodiments, to seamlessly splice communications from the client 102 to the server 106 via the pooled transport layer connections, the appliance 200 converts or multiplexes the communications by modifying the sequence and acknowledgement numbers at the transport layer protocol level. This is called "connection multiplexing". In some embodiments, application layer protocol interaction is not required. For example, in the case of an incoming packet (i.e., a packet received from the client 102), the source network address of the packet is changed to the network address of the output port of the appliance 200, and the destination network address is changed to the network address of the destination server. In the case of an outgoing packet (i.e., one received from the server 106), the source network address is changed from the network address of the server 106 to the network address of the output port of the appliance 200, and the destination address is changed from the network address of the appliance 200 to the network address of the requesting client 102. The sequence number and acknowledgement number of the packet are also translated to a sequence number and acknowledgement expected by the client 102 on the transport layer connection of the appliance 200 to the client 102. In some embodiments, the packet checksum of the transport layer protocol is recalculated to account for these conversions.

In yet another embodiment, the appliance 200 provides a switching or load balancing function 284 for communications between the client 102 and the server 106. In some embodiments, the appliance 200 distributes traffic and directs client requests to the server 106 according to layer 4 or application layer request data. In one embodiment, although the network layer or layer 2 of the network packet identifies the destination server 106, the appliance 200 determines the server 106 to distribute the network packet by carrying data and application information that is the payload of the transport layer packet. In one embodiment, the health monitoring program 216 of the appliance 200 monitors the health of the servers to determine to which server 106 to distribute the client request. In some embodiments, if the appliance 200 detects that a server 106 is unavailable or has a load that exceeds a predetermined threshold, the appliance 200 may direct or distribute client requests to another server 106.

In some embodiments, the appliance 200 acts as a Domain Name Service (DNS) resolver or otherwise provides resolution for DNS requests from the client 102. In some embodiments, the appliance intercepts a DNS request sent by the client 102. In one embodiment, the appliance 200 responds to the client's DNS request with the IP address of the appliance 200 or the IP address hosted by it. In this embodiment, client 102 sends a network communication for the domain name to device 200. In yet another embodiment, the appliance 200 responds to the client's DNS request with the IP address of or hosted by the second appliance 200'. In some embodiments, the appliance 200 responds to the client's DNS request with the IP address of the server 106 determined by the appliance 200.

In yet another embodiment, the appliance 200 provides an application firewall function 290 for communications between the client 102 and the server 106. In one embodiment, policy engine 236 provides rules for detecting and blocking illegitimate requests. In some embodiments, the application firewall 290 protects against denial of service (DoS) attacks. In other embodiments, the appliance examines the content of the intercepted request to identify and block application-based attacks. In some embodiments, the rules/policy engine 236 includes one or more application firewall or security control policies for providing protection against multiple kinds and types of web or internet based vulnerabilities, such as one or more of the following: 1) buffer drain, 2) CGI-BIN parameter manipulation, 3) form/hidden field manipulation, 4) forced browsing, 5) cookie or session poisoning, 6) corrupted Access Control Lists (ACLs) or weak passwords, 7) cross site scripting (XSS), 8) command injection, 9) SQL injection, 10) false trigger sensitive information leakage, 11) insecure use of encryption, 12) server misconfiguration, 13) backdoor and debug options, 14) website correction, 15) platform or operating system vulnerabilities, and 16) zero-day attacks. In one embodiment, the firewall 290 is applied to provide protection of HTML formatted fields in the form of inspecting or analyzing network traffic for one or more of the following: 1) return required fields, 2) disallow additional fields, 3) read-only and hidden field enforcement (enforcement), 4) consistency of drop lists and radio button fields, and 5) format field maximum length enforcement. In some embodiments, the application firewall 290 ensures that cookies are not modified. In other embodiments, the application firewall 290 protects against forced browsing by executing a legitimate URL.

In other embodiments, the application firewall 290 protects any confidential information contained in the network communications. The application firewall 290 may examine or analyze any network communication according to rules or policies of the engine 236 to identify any confidential information in any field of the network packet. In some embodiments, the application firewall 290 identifies one or more occurrences of credit card numbers, passwords, social security numbers, names, patient codes, contact information, and ages in network communications. The encoded portion of the network communication may include such presence or confidential information. Based on these occurrences, in one embodiment, the application firewall 290 can take a policy action on the network communication, such as blocking the sending of the network communication. In yet another embodiment, the application firewall 290 may rewrite, move, or otherwise mask the identified presence or confidential information.

Still referring to FIG. 2B, the appliance 200 may include a performance monitoring agent 197 as discussed above in connection with FIG. 1D. In one embodiment, the appliance 200 receives the monitoring agent 197 from the monitoring service 198 or monitoring server 106 as described in FIG. 1D. In some embodiments, the appliance 200 maintains the monitoring agent 197 in a storage device, such as a disk, for transmission to any client or server in communication with the appliance 200. For example, in one embodiment, the appliance 200 sends the monitoring agent 197 to the client upon receiving a request to establish a transport layer connection. In other embodiments, the appliance 200 sends the monitoring agent 197 when establishing a transport layer connection with the client 102. In yet another embodiment, the appliance 200 sends the monitoring agent 197 to the client upon intercepting or detecting a request for a web page. In yet another embodiment, the appliance 200 sends the monitoring agent 197 to a client or server in response to a request by the monitoring server 198. In one embodiment, the appliance 200 sends the monitoring agent 197 to a second appliance 200' or appliance 205.

In other embodiments, the appliance 200 executes the monitoring agent 197. In one embodiment, the monitoring agent 197 measures and monitors the performance of any application, program, process, service, task, or thread executing on the appliance 200. For example, the monitoring agent 197 may monitor and measure the performance and operation of vServers 275A-275N. In yet another embodiment, the monitoring agent 197 measures and monitors the performance of any transport layer connection of the appliance 200. In some embodiments, the monitoring agent 197 measures and monitors the performance of any user sessions through the appliance 200. In one embodiment, the monitoring agent 197 measures and monitors the performance of any virtual private network connection and/or session through the appliance 200, such as an SSL VPN session. In further embodiments, the monitoring agent 197 measures and monitors memory, CPU and disk usage and performance of the device 200. In yet another embodiment, the monitoring agent 197 measures and monitors the performance of any acceleration techniques 288 performed by the appliance 200, such as SSL offload, connection pooling and multiplexing, caching, and compression. In some embodiments, the monitoring agent 197 measures and monitors the performance of any load balancing and/or content exchange 284 performed by the appliance 200. In other embodiments, the monitoring agent 197 measures and monitors the performance of application firewall 290 protection and processing performed by the appliance 200.

C.Client proxy

Referring now to FIG. 3, an embodiment of a client agent 120 is described. The client 102 includes a client agent 120 for establishing and exchanging communications with the appliance 200 and/or the server 106 via the network 104. In general, the client 102 operates on a computing device 100, the computing device 100 having an operating system with a kernel mode 302 and a user mode 303, and a network stack 310 with one or more layers 310a-310 b. The client 102 may have installed and/or executed one or more applications. In some embodiments, one or more applications may communicate with the network 104 through the network stack 310. One of the applications, such as a web browser, may also include a first program 322. For example, the first program 322 may be used in some embodiments to install and/or execute the client agent 120, or any portion thereof. The client agent 120 includes an interception mechanism or interceptor 350 for intercepting network communications from one or more applications from the network stack 310.

The network stack 310 of the client 102 may include any type and form of software, or hardware, or combination thereof, for providing connectivity and communication with a network. In one embodiment, the network stack 310 includes a software implementation for a network protocol suite. The network stack 310 may include one or more network layers, such as any network layer of the Open Systems Interconnection (OSI) communication model recognized and understood by those skilled in the art. As such, the network stack 310 may include any type and form of protocol for any of the following OSI model layers: 1) a physical link layer; 2) a data link layer; 3) a network layer; 4) a transport layer; 5) session layer); 6) a presentation layer, and 7) an application layer. In one embodiment, the network stack 310 may include a Transmission Control Protocol (TCP) over a network layer protocol of the Internet Protocol (IP), commonly referred to as TCP/IP. In some embodiments, the TCP/IP protocol may be carried over an Ethernet protocol, which may comprise any family of IEEE Wide Area Network (WAN) or Local Area Network (LAN) protocols, such as those covered by IEEE 802.3. In some embodiments, the network stack 310 includes any type and form of wireless protocol, such as IEEE 802.11 and/or mobile Internet protocol.

Considering a TCP/IP-based network, any TCP/IP-based protocol may be used, including Messaging Application Programming Interface (MAPI) (email), File Transfer Protocol (FTP), HyperText transfer protocol (HTTP), Common Internet File System (CIFS) protocol (file transfer), Independent Computing Architecture (ICA) protocol, Remote Desktop Protocol (RDP), Wireless Application Protocol (WAP), Mobile IP protocol, and Voice over Internet protocol (VoIP) protocol. In yet another embodiment, the network stack 310 includes any type and form of transmission control protocol, such as a modified transmission control protocol, e.g., transactional TCP (T/TCP), TCP with selective acknowledgement (TCP-SACK), TCP with large window (TCP-LW), congestion prediction protocol, e.g., TCP-Vegas protocol, and TCP spoofing protocol. In other embodiments, the network stack 310 may use any type and form of User Datagram Protocol (UDP), such as UDP over IP, for example, for voice communications or real-time data communications.

Additionally, the network stack 310 may include one or more network drivers, such as a TCP driver or a network layer driver, that support one or more layers. The network layer driver may be included as part of the operating system of computing device 100 or as part of any network interface card or other network access component of computing device 100. In some embodiments, any network driver of the network stack 310 may be customized, modified, or adapted to provide a customized or modified portion of the network stack 310 to support any of the techniques described herein. In other embodiments, the acceleration program 302 is designed and constructed to operate or work in conjunction with a network stack 310, which network stack 310 is installed or otherwise provided by the operating system of the client 102.

The network stack 310 includes any type and form of interface for receiving, obtaining, providing, or otherwise accessing any information and data related to network communications of the client 102. In one embodiment, the interface with the network stack 310 includes an Application Programming Interface (API). The interface may also include any function call, hook or filter mechanism, event or callback mechanism, or any type of interface technology. The network stack 310 may receive or provide any type and form of data structure, such as an object, associated with the functionality or operation of the network stack 310 via an interface. For example, the data structure may include information and data related to a network packet or one or more network packets. In some embodiments, the data structure comprises a portion of a network packet processed at a protocol layer of the network stack 310, such as a transport layer network packet. In some embodiments, data structure 325 comprises a kernel-level data structure, while in other embodiments, data structure 325 comprises a user-mode data structure. The kernel-level data structures may include data structures obtained or associated with a portion of the network stack 310 operating in the kernel mode 302, or a network driver or other software running in the kernel mode 302, or any data structure obtained or received by a service, process, task, thread, or other executable instruction running or operating in the kernel mode of the operating system.

Further, some portions of the network stack 310 may be performed or operated in kernel mode 302, e.g., the data link or network layer, while other portions are performed or operated in user mode 303, e.g., the application layer of the network stack 310. For example, a first portion 310a of the network stack may provide applications with user mode access to the network stack 310, while a second portion 310a of the network stack 310 provides access to the network. In some embodiments, the first portion 310a of the network stack may include one or more upper layers of the network stack 310, such as any of layers 5-7. In other embodiments, the second portion 310b of the network stack 310 includes one or more lower layers, such as any of layers 1-4. Each first portion 310a and second portion 310b of the network stack 310 may comprise any portion of the network stack 310, located at any one or more network layers, in the user mode 203, the kernel mode 202, or a combination thereof, or at any portion of a network layer or interface point to a network layer, or any portion of the user mode 203 and kernel mode 202 or interface point to the user mode 203 and kernel mode 202.

Interceptor 350 may comprise software, hardware, or any combination of software and hardware. In one embodiment, the interceptor 350 intercepts network communications at any point of the network stack 310 and redirects or transmits the network communications to a destination desired, managed, or controlled by the interceptor 350 or the client agent 120. For example, the interceptor 350 may intercept network communications of the network stack 310 of the first network and transmit the network communications to the appliance 200 for transmission on the second network 104. In some embodiments, the interceptor 350 comprises any type of interceptor 350 that includes a driver, such as a network driver, that is constructed and designed to interface and work with the network stack 310. In some embodiments, the client agent 120 and/or interceptor 350 operate at one or more layers of the network stack 310, such as at the transport layer. In one embodiment, interceptor 350 includes a filter driver, a hook mechanism, or any form and type of suitable network driver interface connected to the transport layer of the network stack, such as through a Transport Driver Interface (TDI). In some embodiments, the interceptor 350 is connected to a first protocol layer, such as the transport layer, and another protocol layer, such as any layer above the transport protocol layer, e.g., the application protocol layer. In one embodiment, interceptor 350 may include a driver that complies with the Network Driver Interface Specification (NDIS), or an NDIS driver. In yet another embodiment, the interceptor 350 may include a micro-filter or a micro-port driver. In one embodiment, interceptor 350, or portions thereof, operates in kernel mode 202. In yet another embodiment, the interceptor 350, or portions thereof, operates in the user mode 203. In some embodiments, a portion of the interceptor 350 operates in kernel mode 202 while another portion of the interceptor 350 operates in user mode 203. In other embodiments, the client agent 120 operates in user mode 203, but connects to a kernel mode driver, process, service, task, or part of the operating system through the interceptor 350, such as to obtain the kernel-level data structure 225. In other embodiments, the interceptor 350 is a user mode application or program, such as an application.

In one embodiment, the interceptor 350 intercepts any transport layer connection requests. In these embodiments, the interceptor 350 executes a transport layer Application Programming Interface (API) call to set destination information, such as a destination IP address and/or port to a desired location for positioning. In this manner, the interceptor 350 intercepts and redirects the transport layer connections to IP addresses and ports controlled or managed by the interceptor 350 or the client agent 120. In one embodiment, the interceptor 350 sets the destination information of the connection to the local IP address and port of the client 102 that the client agent 120 is listening on. For example, the client agent 120 may include a proxy service that listens for local IP addresses and ports for redirected transport layer communications. In some embodiments, the client agent 120 then transmits the redirected transport layer communication to the appliance 200.

In some embodiments, the interceptor 350 intercepts Domain Name Service (DNS) requests. In one embodiment, the client agent 120 and/or interceptor 350 resolves the DNS request. In yet another embodiment, the interceptor sends the intercepted DNS request to the appliance 200 for DNS resolution. In one embodiment, the appliance 200 resolves the DNS request and transmits a DNS response to the client agent 120. In some embodiments, the appliance 200 resolves the DNS request via another appliance 200' or the DNS server 106.

In yet another embodiment, the client agent 120 may include two agents 120 and 120'. In one embodiment, the first agent 120 may include an interceptor 350 operating at the network layer of the network stack 310. In some embodiments, the first agent 120 intercepts network layer requests, such as Internet Control Message Protocol (ICMP) requests (e.g., ping and trace routes). In other embodiments, the second agent 120' may operate at the transport layer and intercept transport layer communications. In some embodiments, the first agent 120 intercepts communications at one layer of the network stack 210 and connects with the second agent 120 'or communicates the intercepted communications to the second agent 120'.

The client agent 120 and/or interceptor 350 may operate at or interface with a protocol layer in a manner that is transparent to any other protocol layer of the network stack 310. For example, in one embodiment, the interceptor 350 may operate at or interface with the transport layer of the network stack 310 in a manner that is transparent to any protocol layer below the transport layer, such as the network layer, and any protocol layer above the transport layer, such as the session, presentation, or application layer protocol. This allows other protocol layers of the network stack 310 to operate as desired and need not be modified to use the interceptor 350. As such, the client agent 120 and/or interceptor 350 may be connected with the transport layer to secure, optimize, accelerate, route, or load balance any communication provided via any protocol carried by the transport layer, such as any application layer protocol over TCP/IP.

Further, the client agent 120 and/or interceptor may operate on or interface with the network stack 310 in a manner that is transparent to any application, user of the client 102, and any other computing device, such as a server, in communication with the client 102. The client agent 120 and/or interceptor 350 may be installed and/or executed on the client 102 in a manner that does not require modification of the application. In some embodiments, a user of the client 102 or a computing device in communication with the client 102 is unaware of the presence, execution, or operation of the client agent 120 and/or interceptor 350. Also, in some embodiments, the client agent 120 and/or interceptor 350 are installed, executed, and/or operated transparently with respect to the application, the user of the client 102, another computing device such as a server, or any protocol layer above and/or below the protocol layer connected by the interceptor 350.

The client agent 120 includes an acceleration program 302, a streaming client 306, a collection agent 304, and/or a monitoring agent 197. In one embodiment, the client agent 120 comprises an Independent Computing Architecture (ICA) client, or any portion thereof, developed by Citrix Systems Inc. of Fort Lauderdale, Florida, and is also referred to as an ICA client. In some embodiments, the client agent 120 includes an application streaming client 306 for streaming applications from the server 106 to the client 102. In some embodiments, the client agent 120 includes an acceleration program 302 for accelerating communications between the client 102 and the server 106. In yet another embodiment, the client agent 120 includes a collection agent 304 for performing endpoint detection/scanning and for collecting endpoint information for the appliance 200 and/or the server 106.

In some embodiments, the acceleration program 302 comprises a client-side acceleration program for executing one or more acceleration techniques to accelerate, enhance, or otherwise improve client communication with the server 106 and/or access to the server 106, such as access to applications provided by the server 106. The logic, functions, and/or operations of the executable instructions of the acceleration program 302 may perform one or more of the following acceleration techniques: 1) multiprotocol compression, 2) transport control protocol pooling, 3) transport control protocol multiplexing, 4) transport control protocol buffering, and 5) caching by a cache manager. Additionally, the acceleration program 302 may perform encryption and/or decryption of any communications received and/or transmitted by the client 102. In some embodiments, the acceleration program 302 performs one or more acceleration techniques in an integrated manner or format. Additionally, the acceleration program 302 may perform compression on any protocol or protocols carried by the payload of the network packet as a transport layer protocol.

The streaming client 306 includes an application, program, process, service, task, or executable instruction for receiving and executing an application streamed from the server 106. The server 106 may stream one or more application data files to the streaming client 306 for playing, executing, or otherwise causing an application on the client 102 to be executed. In some embodiments, the server 106 sends a set of compressed or packaged application data files to the streaming client 306. In some embodiments, the plurality of application files are compressed and stored in an archive file on a file server, such as a CAB, ZIP, SIT, TAR, JAR, or other archive file. In one embodiment, the server 106 decompresses, unpacks, or un-archives the application file and sends the file to the client 102. In yet another embodiment, the client 102 decompresses, unpacks, or un-archives the application file. The streaming client 306 dynamically installs the application or portions thereof and executes the application. In one embodiment, the streaming client 306 may be an executable program. In some embodiments, the streaming client 306 may be capable of launching another executable program.

The collection agent 304 includes an application, program, process, service, task, or executable instruction for identifying, obtaining, and/or collecting information about the client 102. In some embodiments, the appliance 200 sends the collection agent 304 to the client 102 or client agent 120. The collection agent 304 may be configured according to one or more policies of the policy engine 236 of the appliance. In other embodiments, the collection agent 304 sends the information collected on the client 102 to the appliance 200. In one embodiment, the policy engine 236 of the appliance 200 uses the collected information to determine and provide access, authentication, and authorization control for client connections to the network 104.

In one embodiment, the collection agent 304 includes an endpoint detection and scanning mechanism that identifies and determines one or more attributes or characteristics of the client. For example, the collection agent 304 may identify and determine any one or more of the following client-side attributes: 1) an operating system and/or version of the operating system, 2) a service package for the operating system, 3) running services, 4) running processes, and 5) files. The collection agent 304 may also identify and determine the presence or version of any one or more of the following software on the client: 1) anti-virus software; 2) personal firewall software; 3) anti-spam software, and 4) internet security software. The policy engine 236 may have one or more policies based on any one or more attributes or characteristics of the client or client-side attributes.

In some embodiments, the client agent 120 includes a monitoring agent 197 as discussed in conjunction with fig. 1D and 2B. The monitoring agent 197 may be any type and form of script, such as Visual Basic or Java script. In one embodiment, the monitoring agent 197 monitors and measures the performance of any portion of the client agent 120. For example, in some embodiments, the monitoring agent 197 monitors and measures the performance of the acceleration program 302. In yet another embodiment, the monitoring agent 197 monitors and measures performance of the streaming client 306. In other embodiments, the monitoring agent 197 monitors and measures the performance of the collection agent 304. In yet another embodiment, the monitoring agent 197 monitors and measures the performance of the interceptor 350. In some embodiments, the monitoring agent 197 monitors and measures any resources of the client 102, such as memory, CPU, and disk.

The monitoring agent 197 may monitor and measure the performance of any application of the client. In one embodiment, the monitoring agent 197 monitors and measures the performance of a browser on the client 102. In some embodiments, the monitoring agent 197 monitors and measures the performance of any applications transmitted via the client agent 120. In other embodiments, the monitoring agent 197 measures and monitors an end-user response time of an application, such as a web-based response time or an HTTP response time. The monitoring agent 197 may monitor and measure the performance of ICA or RDP clients. In yet another embodiment, the monitoring agent 197 measures and monitors metrics of a user session or an application session. In some embodiments, the monitoring agent 197 measures and monitors an ICA or RDP session. In one embodiment, the monitoring agent 197 measures and monitors the performance of the appliance 200 in accelerating the delivery of applications and/or data to the client 102.

In some embodiments, still referring to fig. 3, the first program 322 may be used to automatically, silently, transparently, or otherwise install and/or execute the client agent 120 or a portion thereof, such as the interceptor 350. In one embodiment, the first program 322 comprises a plug-in component, such as an ActiveX control or Java control or script, that is loaded into and executed by the application. For example, the first program comprises an ActiveX control loaded and run by a web browser application, for example in the context of a memory space or application. In yet another embodiment, the first program 322 includes a set of executable instructions that are loaded and executed by an application, such as a browser. In one embodiment, the first program 322 comprises a program designed and constructed to install the client agent 120. In some embodiments, the first program 322 obtains, downloads, or receives the client agent 120 from another computing device over a network. In yet another embodiment, the first program 322 is an installer program or plug-and-play manager for installing programs, such as network drivers, on the operating system of the client 102.

D.System and method for providing virtualized application delivery controller

Referring now to FIG. 4A, a block diagram depicts one embodiment of a virtualized environment 400. In general, the computing device 100 includes a hypervisor layer, a virtualization layer, and a hardware layer. The hypervisor layer includes a hypervisor 401 (also referred to as a virtualization manager) that allocates and manages access to a plurality of physical resources (e.g., processors 421 and disks 428) in the hardware layer through at least one virtual machine executing in the virtualization layer. The virtualization layer includes at least one operating system 410 and a plurality of virtual resources allocated to the at least one operating system 410. Virtual resources may include, without limitation, a plurality of

virtual processors

432a, 432b, 432c (collectively 432) and

virtual disks

442a, 442b, 442c (collectively 442), as well as virtual resources such as virtual memory and virtual network interfaces. The plurality of virtual resources and operating system may be referred to as virtual machine 406. The virtual machine 406 may include a control operating system 405, the control operating system 405 in communication with the hypervisor 401 and for executing applications to manage and configure other virtual machines on the computing device 100.

In particular, hypervisor 401 may provide virtual resources to an operating system in any manner that simulates the operating system having access to a physical device. Hypervisor 401 may provide virtual resources to any number of

guest operating systems

410a, 410b (collectively 410). In some embodiments, computing device 100 executes one or more hypervisors. In these embodiments, the hypervisor may be used to simulate virtual hardware, partition physical hardware, virtualize physical hardware, and execute virtual machines that provide access to the computing environment. The hypervisors may include those programs manufactured by VMWare of Palo Alto, Calif., USA; XEN hypervisor (an open source product, the development of which is regulated by the open source XEN. org association); HyperV, VirtualServer, or virtual PC hypervisor, offered by Microsoft corporation, or others. In some embodiments, computing device 100 executes a hypervisor that creates a virtual machine platform on which guest operating systems may execute, which computing device 100 is referred to as a hosting server. In one of these embodiments, for example, the computing device 100 is an XeN SERVER provided by Citrix Systems, Inc. of Fort Lauderdale, Florida, USA.

In some embodiments, the hypervisor 401 executes within an operating system executing on a computing device. In one of these embodiments, the computing device executing the operating system and hypervisor 401 may be viewed as having a host operating system (the operating system executing on the computing device), and a guest operating system (the operating system executing within the computing resource partition provided by the hypervisor 401). In other embodiments, the hypervisor 401 interacts directly with hardware on the computing device rather than executing on the host operating system. In one of these embodiments, hypervisor 401 may be considered to execute on "bare metal," which refers to the hardware comprising the computing device.

In some embodiments, hypervisor 401 may spawn virtual machines 406a-c (collectively 406) in which operating system 410 executes. In one of these embodiments, hypervisor 401 loads a virtual machine image to create virtual machine 406. In another of these embodiments, hypervisor 401 executes operating system 410 within virtual machine 406. In still another of these embodiments, virtual machine 406 executes operating system 410.

In some embodiments, the hypervisor 401 controls processor scheduling and memory partitioning of the virtual machine 406 executing on the computing device 100. In one of these embodiments, hypervisor 401 controls the execution of at least one virtual machine 406. In yet another of these embodiments, the hypervisor 401 presents to at least one virtual machine 406 an abstraction of at least one hardware resource provided by the computing device 100. In other embodiments, hypervisor 401 controls whether and how physical processor capabilities are presented to virtual machine 406.

The control operating system 405 may execute at least one application for managing and configuring guest operating systems. In one embodiment, the control operating system 405 may execute a management application, such as an application that includes a user interface that provides an administrator with access to functions for managing virtual machine execution, including functions for executing a virtual machine, suspending virtual machine execution, or identifying a type of physical resource to allocate to a virtual machine. In yet another embodiment, the hypervisor 401 executes the control operating system 405 within a virtual machine 406 created by the hypervisor 401. In yet another embodiment, the control operating system 405 executes on a virtual machine 406 that is authorized to directly access physical resources on the computing device 100. In some embodiments, the control operating system 405a on the computing device 100a may exchange data with the control operating system 405b on the computing device 100b through communication between the hypervisor 401a and the hypervisor 401 b. In this way, one or more computing devices 100 may exchange data with one or more other computing devices 100 regarding processors or other physical resources available in the resource pool. In one of these embodiments, this functionality allows the hypervisor to manage a pool of resources distributed across multiple physical computing devices. In yet another of these embodiments, a plurality of hypervisors manage one or more guest operating systems executing on a computing device 100.

In one embodiment, control operating system 405 executes on a virtual machine 406 that is authorized to interact with at least one guest operating system 410. In yet another embodiment, guest operating system 410 communicates with control operating system 405 through hypervisor 401 to request access to a disk or network. In yet another embodiment, guest operating system 410 and control operating system 405 may communicate over a communication channel established by hypervisor 401, for example, over multiple shared memory pages provided by hypervisor 401.

In some embodiments, the control operating system 405 includes a network back-end driver for communicating directly with network hardware provided by the computing device 100. In one of these embodiments, the network backend driver processes at least one virtual machine request from at least one guest operating system 110. In other embodiments, the control operating system 405 includes a block back-end driver for communicating with storage elements on the computing device 100. In one of these embodiments, the block back-end driver reads and writes data from the storage elements based on at least one request received from guest operating system 410.

In one embodiment, the control operating system 405 includes a tool stack 404. In other embodiments, the tool stack 404 provides the following functions: interact with the hypervisor 401, communicate with other control operating systems 405 (e.g., located on the second computing device 100 b), or manage the virtual machines 406b, 406c on the computing device 100. In yet another embodiment, the tool stack 404 includes a custom application for providing improved management functionality to an administrator of the virtual machine cluster. In some embodiments, at least one of the tool stack 404 and the control operating system 405 includes a management API that provides an interface for remotely configuring and controlling a virtual machine 406 running on the computing device 100. In other embodiments, the control operating system 405 communicates with the hypervisor 401 through the tool stack 404.

In one embodiment, hypervisor 401 executes guest operating system 410 within virtual machine 406 created by hypervisor 401. In yet another embodiment, guest operating system 410 provides a user of computing device 100 with access to resources in a computing environment. In yet another embodiment, the resources include programs, applications, documents, files, applications, files, executable program files, desktop environments, computing environments, or other resources available to a user of the computing device 100. In yet another embodiment, resources may be transferred to the computing device 100 through multiple access methods, including but not limited to: conventional installation directly on the computing device 100, transmission to the computing device 100 by a method of application streaming, transmission of output data generated by execution resources on the second computing device 100 'and transmitted to the computing device 100 by a presentation layer protocol to the computing device 100, transmission of output data generated by execution resources of a virtual machine executing on the second computing device 100' to the computing device 100, or execution from a mobile storage device (e.g., a USB device) connected to the computing device 100 or execution by a virtual machine executing on the computing device 100 and generating output data. In some embodiments, the computing device 100 transmits output data generated by the execution of the resource to another computing device 100'.

In one embodiment, guest operating system 410 and the virtual machine on which guest operating system 410 executes in combination form a fully virtualized virtual machine that is not aware of itself being a virtual machine, and such a machine may be referred to as a "Domain U HVM (hardware virtual machine) virtual machine". In yet another embodiment, a fully virtualized machine includes software that emulates a basic input/output system (BIOS) to execute an operating system in the fully virtualized machine. In yet another embodiment, a fully virtualized machine may include drivers that provide functionality by communicating with hypervisor 401. In such embodiments, the driver may be aware that it is executing in a virtualized environment. In yet another embodiment, guest operating system 410 and the virtual machine on which guest operating system 410 executes combine to form a para-virtualized virtual machine that is aware that it is a virtual machine, such a machine may be referred to as a "Domain U PV virtual machine". In yet another embodiment, the para-virtualized machine includes additional drivers that are not included in a fully virtualized machine. In yet another embodiment, the para-virtualized machine includes a network back-end driver and a block back-end driver as described above that are included in the control operating system 405.

Referring now to FIG. 4B, a block diagram depicts one embodiment of a plurality of networked computing devices in a system in which at least one physical host executes a virtual machine. In general, the system includes a management component 404 and a hypervisor 401. The system includes a plurality of computing devices 100, a plurality of virtual machines 406, a plurality of hypervisors 401, a plurality of management components (also referred to as tool stacks 404 or management components 404), and physical resources 421, 428. Each of the plurality of physical machines 100 may be provided as a computing device 100 as described above in connection with fig. 1E-1H and 4A.

In particular, the physical disks 428 are provided by the computing device 100, storing at least a portion of the virtual disks 442. In some embodiments, virtual disk 442 is associated with a plurality of physical disks 428. In one of these embodiments, one or more computing devices 100 may exchange data with one or more other computing devices 100 regarding processors or other physical resources available in the resource pool, allowing the hypervisor to manage the resource pool distributed across multiple physical computing devices. In some embodiments, the computing device 100 on which the virtual machine 406 executes is referred to as a physical host 100 or a host 100.

The hypervisor executes on a processor on the computing device 100. The hypervisor allocates the amount of access to the physical disk to the virtual disk. In one embodiment, hypervisor 401 allocates an amount of space on a physical disk. In yet another embodiment, hypervisor 401 allocates multiple pages on a physical disk. In some embodiments, the hypervisor provides the virtual disk 442 as part of the process of initializing and executing the virtual machine 450.

In one embodiment, the management component 404a is referred to as a pool management component 404 a. In yet another embodiment, the management operating system 405a, which may be referred to as a control management system 405a, includes a management component. In some embodiments, the management component is referred to as a tool stack. In one of these embodiments, the management component is the tool stack 404 described above in connection with FIG. 4A. In other embodiments, management component 404 provides a user interface for receiving an identification of virtual machines 406 to provision and/or execute from a user, such as an administrator. In still other embodiments, the management component 404 provides a user interface for receiving a request from a user, such as an administrator, to migrate the virtual machine 406b from one physical machine 100 to another. In a further embodiment, the management component 404a identifies the computing device 100b on which the requested virtual machine 406d executes and instructs the hypervisor 401b on the identified computing device 100b to execute the identified virtual machine, and as such, the management component may be referred to as a pool management component.

Referring now to FIG. 4C, an embodiment of a virtual application delivery controller or virtual appliance 450 is depicted. In general, any of the functions and/or embodiments of the appliance 200 described above in connection with fig. 2A and 2B (e.g., the application delivery controller) may be deployed in any of the embodiments of the virtualized environment described above in connection with fig. 4A and 4B. The functionality of the application delivery controller is not deployed in the form of an appliance 200, but rather is deployed in a virtualized environment 400 on any computing device 100, such as a client 102, server 106, or appliance 200.

Referring now to FIG. 4C, a block diagram of an embodiment of a virtual appliance 450 operating on a hypervisor 401 of a server 106 is depicted. As with the appliance 200 of fig. 2A and 2B, the virtual machine 450 may provide availability, performance, offload, and security functions. For availability, the virtual appliance may perform load balancing between layers 4 and 7 of the network and perform intelligent service health monitoring. For performance increases achieved through network traffic acceleration, the virtual appliance may perform caching and compression. For any server offload processing, the virtual appliance may perform connection multiplexing and connection pooling and/or SSL processing. For security, the virtual appliance may perform any application firewall functions and SSL VPN functions of appliance 200.

Any of the modules of the appliance 200 described in connection with fig. 2A may be packaged, combined, designed, or constructed in the form of a virtualized appliance delivery controller 450, and the virtualized appliance delivery controller 450 may be deployed as a software module or component executing in a virtualized environment 300 or a non-virtualized environment on any server, such as a popular server. For example, the virtual appliance may be provided in the form of an installation package that is installed on the computing device. Referring to fig. 2A, any of the cache manager 232, policy engine 236, compression 238, encryption engine 234, packet engine 240, GUI 210, CLI 212, shell service 214 may be designed and constructed as a component or module running on any operating system of the computing device and/or virtualization environment 300. Rather than using the encryption processor 260, processor 262, memory 264, and network stack 267 of the appliance 200, the virtualization appliance 400 may use any of these resources provided by the virtualization environment 400 or otherwise available on the server 106.

Still referring to FIG. 4C, in short, any one or more vServers 275A-275N may operate or execute in the virtualization environment 400 of any type of computing device 100 (e.g., server 106). Any of the modules and functions of the appliance 200 described in connection with FIG. 2B may be designed and constructed to operate in a virtualized or non-virtualized environment of servers. Any of the vservers 275, SSL VPN 280, intranet UP 282, switching devices 284, DNS 286, acceleration devices 288, APP FW 280, and monitoring agents may be packaged, combined, designed, or built into the form of an application delivery controller 450, the application delivery controller 450 being deployable as one or more software modules or components executing in the device and/or virtualization environment 400.

In some embodiments, the server may execute multiple virtual machines 406a-406b in a virtualized environment, each running the same or a different embodiment of the virtual application delivery controller 450. In some embodiments, the server may execute one or more virtual devices 450 on one or more virtual machines on one core of the multi-core processing system. In some embodiments, the server may execute one or more virtual devices 450 on one or more virtual machines on each processor of the multiprocessor apparatus.

E.System and method for providing a multi-core architecture

The number of transistors that can be mounted on an integrated circuit every two years is essentially doubled according to moore's law. However, CPU speed increases reach a steady level (plateaus), for example, in the range of about 3.5-4GHz since 2005. In some cases, CPU manufacturers may not rely on CPU speed increases to obtain additional performance. Some CPU manufacturers may add additional cores to the processor to provide additional performance. Products such as software and network vendors that rely on CPUs for performance improvement can improve their performance by utilizing these multi-core CPUs. Software designed and constructed as a single CPU may be redesigned and/or written to take advantage of multi-threading, parallel architectures, or multi-core architectures.

In some embodiments, the multi-core architecture of the device 200, referred to as nCore or multi-core technology, allows the device to break single-core performance barriers and take advantage of the capabilities of multi-core CPUs. In the architecture described above in connection with fig. 2A, a single network or packet engine is running. The multiple cores of nCore technology and architecture allow multiple packet engines to run simultaneously and/or in parallel. By running a packet engine on each core, the device architecture takes advantage of the processing power of the additional cores. In some embodiments, this provides up to seven times the performance improvement and scalability.

Figure 5A illustrates some embodiments of work, tasks, load, or network traffic distributed over one or more processor cores according to a type of parallel mechanism or parallel computing scheme (e.g., a functional parallel mechanism, a data parallel mechanism, or a flow-based data parallel mechanism). In general, FIG. 5A illustrates an embodiment of a multi-core system such as device 200' having N cores, numbered 1 through N. In one embodiment, the work, load, or network traffic may be distributed across the first core 505A, the second core 505B, the third core 505C, the fourth core 505D, the fifth core 505E, the sixth core 505F, the seventh core 505G, etc., such that the distribution is across all N cores 505N (hereinafter collectively referred to as cores 505) or two or more of the N cores. There may be multiple VIPs 275, each running on a respective core of the multiple cores. There may be multiple packet engines 240, each running on a respective core of the multiple cores. Any of the methods used may result in different, varying, or similar workload or performance levels 515 on any of the cores. For the functional parallelism approach, each core runs a different function of the multiple functions provided by the packet engine, VIP 275 or appliance 200. In a data parallel approach, data may be parallel or distributed across the cores based on the Network Interface Card (NIC) or VIP 275 receiving the data. In yet another data parallel approach, processing may be distributed across the cores by distributing the data flow across each core.

In further detail in fig. 5A, in some embodiments, load, work, or network traffic may be distributed among multiple cores 505 according to a functional parallelism mechanism 500. The function parallelism may be based on each core performing one or more respective functions. In some embodiments, a first core may perform a first function while a second core performs a second function. In the function parallel method, functions to be executed by the multi-core system are divided and distributed to each core according to functionality. In some embodiments, a function parallel mechanism may be referred to as a task parallel mechanism and may be implemented when each processor either checks the same data or different data to perform different processes or functions. The cores or processors may execute the same or different code. In some cases, different threads or code of execution may communicate with each other at work. Communications may be conducted to pass data from one thread to the next as part of a workflow.

In some embodiments, distributing work over cores 505 according to the function parallelism mechanism 500 may include distributing network traffic according to specific functions, such as network input/output management (NW I/O)510A, Secure Socket Layer (SSL) encryption and decryption 510B, and Transmission Control Protocol (TCP) functions 510C. This may result in a work, performance, or computational load 515 based on the amount or level of functionality used. In some embodiments, distributing work over the cores 505 according to the data parallel mechanism 540 may include distributing the workload 515 based on the distribution data associated with a particular hardware or software component. In some embodiments, distributing work over the cores 505 according to the flow-based data parallelism mechanism 520 may include distributing data based on context or flow such that the workloads 515A-N on each core may be similarly, substantially equally, or relatively evenly distributed.

In the case of a function parallel approach, each core may be configured to run one or more of a plurality of functions provided by the device's packet engine or VIP. For example, core 1 may perform network I/O processing for device 200' while core 2 performs TCP connection management for the device. Similarly, core 3 may perform SSL offload while core 4 may perform layer 7 or application layer processing and traffic management. Each core may perform the same or different functions. Each core may perform more than one function. Any of the cores may perform the functions identified and/or described in connection with fig. 2A and 2B, or portions thereof. In the method, the work on the core can be divided according to functions in a coarse-grained or fine-grained mode. In some cases, as shown in FIG. 5A, the functional partitioning may cause different cores to operate at different performance or load levels 515.

In the case of a function parallel approach, each core may be configured to run one or more of a plurality of functions provided by the packet engine of the device. For example, core 1 may perform network I/O processing for device 200' while core 2 performs TCP connection management for the device. Similarly, core 3 may perform SSL offload while core 4 may perform layer 7 or application layer processing and traffic management. Each core may perform the same or different functions. Each core may perform more than one function. Any of the cores may perform the functions identified and/or described in connection with fig. 2A and 2B or portions thereof. In the method, the work on the core can be divided according to functions in a coarse-grained or fine-grained mode. In some cases, as shown in FIG. 5A, the functional partitioning may cause different cores to operate at different performance or load levels.

The functions or tasks may be distributed in any structure or arrangement. For example, fig. 5B illustrates a first Core 1505A for processing applications and processes associated with the network I/O function 510A. In some embodiments, network traffic associated with network I/O may be associated with a particular port number. Thus, outgoing and incoming packets having port destinations associated with NW I/O510A are directed to Core 1505A, which Core 1505A is dedicated to handling all network traffic associated with the NW I/O ports. Similarly, Core 2505B is dedicated to handling functions associated with SSL processing, and Core 4505D may be dedicated to handling all TCP level processing and functions.

Although fig. 5A shows functions such as network I/O, SSL and TCP, other functions may be assigned to the cores. These other functions may include any one or more of the functions or operations described herein. For example, any of the functionality described in connection with fig. 2A and 2B may be distributed across cores based on a functional basis. In some cases, a first VIP 275A may be running on a first core while a second VIP 275B, having a different configuration, may be running on a second core. In some embodiments, each core 505 may process a particular function, such that each core 505 may process processing associated with the particular function. For example, Core 2505B may handle SSL offloading while Core 4505D may handle application layer processing and traffic management.

In other embodiments, work, load, or network traffic may be distributed across the cores 505 according to any type or form of data parallelism mechanism 540. In some embodiments, a data parallelism mechanism in a multi-core system may be implemented by each core performing the same task or function on different pieces of distributed data. In some embodiments, a single thread of execution or code controls the operation on all pieces of data. In other embodiments, different threads or instructions control operations, but may execute the same code. In some embodiments, the data parallelism mechanism is implemented from the perspective of a packet engine, VServer (VIP)275A-C, Network Interface Cards (NICs) 542D-E, and/or any other network hardware or software included on the appliance 200 or associated with the appliance 200. For example, each core may run the same packet engine or VIP code or configuration but operate on different distributed data sets. Each network hardware or software structure may receive different, varying, or substantially the same amount of data and thus may have varying, different, or relatively the same amount of load 515.

In the case of a data parallel approach, the work may be divided and distributed based on the VIP, NIC and/or the VIP or NIC data flow. In one of these approaches, the work of the multi-core system may be divided or distributed among the VIPs by having each VIP work on a distributed set of data. For example, each core may be configured to run one or more VIPs. Network traffic may be distributed on the core of each VIP that handles traffic. In yet another of these approaches, the device's work may be divided or distributed across the cores based on which NIC receives network traffic. For example, network traffic for a first NIC may be distributed to a first core while network traffic for a second NIC may be distributed to a second core. In some cases, a core may process data from multiple NICs.

Although fig. 5A shows a single vServer associated with a single core 505, as is the case with VIP 1275A, VIP 2275B and VIP 3275C. However, in some embodiments, a single vServer may be associated with one or more cores 505. Instead, one or more vservers may be associated with a single core 505. Associating a vServer with a core 505 may include the core 505 processing all functions associated with that particular vServer. In some embodiments, each core executes a VIP with the same code and configuration. In other embodiments, each core executes a VIP having the same code but a different configuration. In some embodiments, each core executes a VIP having different code and the same or different configuration.

Similar to the vServer, a NIC may also be associated with a particular core 505. In many embodiments, a NIC may be coupled to one or more cores 505 such that when the NIC receives or transmits a data packet, the particular core 505 processes processing relating to receiving and transmitting the data packet. In one embodiment, a single NIC may be associated with a single core 505, as is the case with NIC 1542D and NIC 2542E. In other embodiments, one or more NICs may be associated with a single core 505. In other embodiments, however, a single NIC may be associated with one or more cores 505. In these embodiments, the load may be distributed across one or more cores 505 such that each core 505 handles substantially similar amounts of load. The core 505 associated with a NIC may process all of the functions and/or data associated with that particular NIC.

Although there is some degree of independence in distributing work across cores based on the VIP or NIC data, in some embodiments this may result in unbalanced use of cores as illustrated by the varying load 515 of figure 5A.

In some embodiments, load, work, or network traffic may be distributed across cores 505 according to any type or form of data flow. In yet another of these approaches, work may be divided or distributed across multiple cores based on data flow. For example, network traffic between clients or servers through a device may be distributed to and processed by one of multiple cores. In some cases, the core that initially establishes the session or connection may be the core to which the network traffic for the session or connection is distributed. In some embodiments, the data flow is based on any element or portion of network traffic, such as transactions, request/response communications, or traffic from an application on a client. Thus, in some embodiments, the data flow between the client and server through the appliance 200' may be more evenly distributed than would otherwise be the case.

In the stream-based data parallelism mechanism 520, data distribution is associated with any type of data stream, such as request/response pairs, transactions, sessions, connections, or application communications. For example, network traffic between clients or servers through a device may be distributed to and processed by one of multiple cores. In some cases, the core that initially establishes the session or connection may be the core to which the network traffic for the session or connection is distributed. The distribution of the data flows may be such that each core 505 runs a substantially equal or relatively evenly distributed amount of load, data, or network traffic.

In some embodiments, the data flow is based on any element or portion of network traffic, such as transactions, request/response communications, or traffic originating from an application on a client. Thus, in some embodiments, the data flow between the client and server through the appliance 200' may be more evenly distributed than would otherwise be the case. In one embodiment, the amount of data may be distributed based on a transaction or series of transactions. In some embodiments, the transaction may be between a client and a server, and may be characterized by an IP address or other packet identifier. For example, core 1505A may be dedicated to transactions between a particular client and a particular server, and thus, the load 515A on core 1505A may include network traffic associated with transactions between the particular client and server. Network traffic may be allocated to core 1505A by routing all data packets originating from a particular client or server to core 1505A.

Although work or load may be distributed to cores based in part on transactions, in other embodiments, load or work may be distributed on a per-group basis. In these embodiments, the appliance 200 may intercept data packets and allocate the data packets to the cores 505 with the least amount of load. For example, the appliance 200 may allocate the first incoming data packet to core 1505A because the load 515A on core 1 is less than the load 515B-N on the other cores 505B-N. After the first data packet is allocated to core 1505A, the amount of load 515A on core 1505A increases in proportion to the amount of processing resources required to process the first data packet. When the appliance 200 intercepts the second data packet, the appliance 200 will allocate a load to core 4505D because core 4505D has the second least amount of load. In some embodiments, allocating data packets to the core with the least amount of load may ensure that the load 515A-N distributed to each core 505 remains substantially equal.

In other embodiments, where a portion of the network traffic is allocated to a particular core 505, the load may be allocated on a per-unit basis. The above examples illustrate load balancing on a per packet basis. In other embodiments, the load may be assigned based on the number of packets, e.g., every 10, 100, or 1000 packets to the least traffic core 505. The number of packets allocated to a core 505 may be a number determined by an application, user, or administrator, and may be any number greater than zero. In still other embodiments, the load is distributed based on a time metric such that packets are distributed to a particular core 505 for a predetermined period of time. In these embodiments, packets may be distributed to a particular core 505 within 5 milliseconds or any period of time determined by a user, program, system, manager, or otherwise. After the predetermined period of time has elapsed, the time packet is transmitted to a different core 505 for the predetermined period of time.

The flow-based data parallel approach to distributing work, load, or network traffic across one or more cores 505 may include any combination of the above embodiments. These methods may be performed by any portion of the appliance 200, by an application or set of executable instructions executing on the core 505, such as a packet engine, or by any application, program, or agent executing on a computing device in communication with the appliance 200.

The functional and data parallel mechanism computing schemes shown in fig. 5A may be combined in any manner to produce a hybrid parallel mechanism or distributed processing scheme that includes a functional parallel mechanism 500, a data parallel mechanism 540, a stream-based data parallel mechanism 520, or any portion thereof. In some cases, a multi-core system may use any type or form of load balancing scheme to distribute load across one or more cores 505. The load balancing scheme may be used in conjunction with any functional and data parallel scheme or combination thereof.

FIG. 5B illustrates an embodiment of a multi-core system 545, which may be one or more systems, devices, apparatuses, or components of any type or form. In some embodiments, the system 545 may be included within an appliance 200 having one or more processing cores 505A-N. The system 545 may also include one or more Packet Engines (PEs) or Packet Processing Engines (PPEs) 548A-N in communication with the memory bus 556. A memory bus may be used to communicate with one or more of the processing cores 505A-N. The system 545 may also include one or more Network Interface Cards (NICs) 552 and a flow distributor 550, which may also communicate with one or more of the processing cores 505A-N. The flow distributor 550 may include a Receiver Side adjuster (Receiver Side Scaler-RSS) or Receiver Side adjusting (Receiver Side Scaling-RSS) module 560.

With further reference to FIG. 5B, in particular, in one embodiment, the packet engines 548A-N can comprise any portion of the appliance 200 described herein, such as any portion of the appliance described in FIGS. 2A and 2B. In some embodiments, the packet engines 548A-N can include any of the following elements: the packet engine 240, the network stack 267, the cache manager 232, the policy engine 236, the compression engine 238, the encryption engine 234, the GUI 210, the CLI212, the shell service 214, the monitor 216, and any other software and hardware elements capable of receiving data packets from the data bus 556 or any of the one or more cores 505A-N. In some embodiments, the packet engines 548A-N may include one or more vServers 275A-N or any portion thereof. In other embodiments, the packet engines 548A-N can provide any combination of the following functions: SSL VPN 280, intranet IP282, exchange 284, DNS 286, packet acceleration 288, APP FW 280, monitoring as provided by monitoring agent 197, and functions associated as a TCP stack, load balancing, SSL offload and processing, content exchange, policy evaluation, caching, compression, encoding, decompression, decoding, application firewall functions, XML processing and acceleration, and SSL VPN connections.

In some embodiments, the packet engines 548A-N can be associated with a particular server, user, client, or network. When the packet engine 548 is associated with a particular entity, the packet engine 548 can process data packets associated with the entity. For example, if the packet engine 548 is associated with a first user, the packet engine 548 will process and operate on packets generated by the first user or packets having a destination address associated with the first user. Similarly, the packet engine 548 can choose not to be associated with a particular entity such that the packet engine 548 can process and otherwise operate on any data packets that are not generated by or intended for that entity.

In some examples, the packet engines 548A-N can be configured to perform any of the functions and/or data parallelism schemes shown in FIG. 5A. In these examples, the packet engines 548A-N can distribute functions or data across multiple cores 505A-N such that the distribution is according to a parallel mechanism or distribution scheme. In some embodiments, a single packet engine 548A-N performs the load balancing scheme, and in other embodiments, one or more packet engines 548A-N performs the load balancing scheme. In one embodiment, each core 505A-N may be associated with a particular packet engine 548 such that load balancing may be performed by the packet engine. In this embodiment, load balancing may require each packet engine 548A-N associated with a core 505 to communicate with other packet engines associated with the core so that the packet engines 548A-N may collectively decide where to distribute the load. One embodiment of the process may include an arbiter that receives votes for a load from each packet engine. The arbiter can assign a load to each packet engine 548A-N based in part on the duration of the engine vote, and in some cases, can also assign a load to each packet engine 548A-N based on a priority value associated with the current amount of load on the core 505 associated with the engine.

Any packet engine running on a core may run in user mode, kernel mode, or any combination thereof. In some embodiments, the packet engine operates as an application or program running in user space or application space. In these embodiments, the packet engine may use any type or form of interface to access any functionality provided by the kernel. In some embodiments, the packet engine operates in kernel mode or as part of the kernel. In some embodiments, a first portion of the packet engine operates in user mode and a second portion of the packet engine operates in kernel mode. In some embodiments, a first packet engine on a first core executes in kernel mode while a second packet engine on a second core executes in user mode. In some embodiments, the packet engine, or any portion thereof, operates on, or in conjunction with, the NIC, or any driver thereof.

In some embodiments, the memory bus 556 may be any type or form of memory or computer bus. Although a single memory bus 556 is depicted in FIG. 5B, the system 545 can include any number of memory buses 556. In one embodiment, each packet engine 548 can be associated with one or more separate memory buses 556.

In some embodiments, NIC 552 may be any network interface card or mechanism described herein. The NIC 552 may have any number of ports. The NIC may be designed and configured to connect to any type and form of network 104. Although a single NIC 552 is shown, the system 545 may include any number of NICs 552. In some embodiments, each core 505A-N may be associated with one or more individual NICs 552. Thus, each core 505 may be associated with a single NIC 552 dedicated to a particular core 505. The cores 505A-N may include any of the processors described herein. Further, the cores 505A-N may be configured according to any of the core 505 configurations described herein. Additionally, the cores 505A-N may have any of the core 505 functionality described herein. Although FIG. 5B shows seven cores 505A-G, the system 545 can include any number of cores 505. Specifically, system 545 may include N cores, where N is an integer greater than zero.

A core may have or use memory allocated or assigned for that core. The memory may be considered exclusive or local memory for the core and only the core may access the memory. A core may have or use memory that is shared or assigned to multiple cores. The memory may be considered a common or shared memory accessible by more than one core. The cores may use any combination of private or public memory. Some levels of coordination where the same address space is used are eliminated by the separate address spaces of each core. With a separate address space, a core can work on information and data in the core's own address space without fear of conflicts with other cores. Each packet engine may have a separate memory pool for TCP and/or SSL connections.

Still referring to fig. 5B, any of the functions and/or embodiments of the core 505 described above in connection with fig. 5A may be deployed in any of the embodiments of the virtualization environments described above in connection with fig. 4A and 4B. Rather than deploying the functionality of the cores 505 in the form of physical processors 505, the functionality is deployed within the virtualized environment 400 of any computing device 100, such as a client 102, server 106, or appliance 200. In other embodiments, rather than deploying the functionality of the core 505 in the form of an appliance or one device, the functionality is deployed across multiple devices in any arrangement. For example, one device may include two or more cores and another device may include two or more cores. For example, a multi-core system may include a cluster of computing devices, a server farm, or a network of computing devices. In some embodiments, rather than deploying the functionality of the core 505 in the form of a core, the functionality is deployed over multiple processors, e.g., multiple single-core processors.

In one embodiment, the core 505 may be any form or type of processor. In some embodiments, the cores may function substantially similar to any of the processors or central processing units described herein. In some embodiments, core 505 may comprise any portion of any processor described herein. Although FIG. 5A shows 7 cores, there may be any number N of cores within device 200, where N is an integer greater than 1. In some embodiments, the core 505 may be installed within a common appliance 200, in other embodiments, the core 505 may be installed within one or more appliances 200 that are communicatively connected to each other. In some embodiments, the core 505 includes graphics processing software, while in other embodiments, the core 505 provides general purpose processing capabilities. The cores 505 may be installed in physical proximity to each other and/or may be communicatively connected to each other. Any type and form of bus or subsystem that may be physically and/or communicatively coupled to the cores connects the cores for transferring data to, from, and/or between the cores.

Although each core 505 may include software for communicating with other cores, in some embodiments, a core manager (not shown) may facilitate communication between each core 505. In some embodiments, the kernel may provide kernel management. The cores may interface or communicate with each other using various interface mechanisms. In some embodiments, core-to-core messaging may be used to communicate between cores, such as a first core sending a message or data to a second core over a bus or subsystem connected to the cores. In some embodiments, the cores may communicate over any kind or form of shared memory interface. In one embodiment, there may be one or more memory units shared among all cores. In some embodiments, each core may have a separate memory unit shared with each other core. For example, a first core may have a first shared memory with a second core and a second shared memory with a third core. In some embodiments, the cores may communicate through any type of programming or API (e.g., function calls through the kernel). In some embodiments, the operating system may identify and support multi-core devices and provide interfaces and APIs for inter-core communication.

The flow distributor 550 can be any application, program, library, script, task, service, process, or any type and form of executable instructions executing on any type or form of hardware. In some embodiments, the flow distributor 550 may be any circuit design or structure for performing any of the operations and functions described herein. In some embodiments, the flow distributor distributes, forwards, routes, controls, and/or manages data across multiple cores 505 and/or the distribution of packet engines or VIPs running on the cores. In some embodiments, the flow distributor 550 may be referred to as an interface master. In one embodiment, the flow distributor 550 comprises a set of executable instructions executing on a core or processor of the appliance 200. In yet another embodiment, the flow distributor 550 comprises a set of executable instructions executing on a computing machine in communication with the appliance 200. In some embodiments, the flow distributor 550 comprises a set of executable instructions executing on a NIC, such as firmware. Other embodiments, the flow distributor 550 includes any combination of software and hardware for distributing data packets on cores or processors. In one embodiment, the flow distributor 550 executes on at least one core 505A-N, while in other embodiments, a separate flow distributor 550 assigned to each core 505A-N executes on the associated core 505A-N. The flow distributor may use any type and form of statistical or probabilistic algorithm or decision to balance flows across multiple cores. Device hardware such as a NIC or a kernel may be designed or constructed to support sequential operations on the NIC and/or the kernel.

In embodiments where the system 545 includes one or more flow distributors 550, each flow distributor 550 can be associated with a processor 505 or a packet engine 548. The flow distributors 550 can include interface mechanisms that allow each flow distributor 550 to communicate with other flow distributors 550 executing within the system 545. In one example, one or more flow distributors 550 can determine how to balance the load by communicating with each other. The operation of this process may be substantially similar to the process described above, i.e., the votes are submitted to the arbiter, which then determines which flow distributor 550 should receive the load. In other embodiments, first flow distributor 550' may identify the load on the associated core and determine whether to forward the first data packet to the associated core based on any of the following criteria: the load on the associated core is greater than a predetermined threshold; the load on the associated core is less than a predetermined threshold; the load on the associated core is less than the load on the other cores; or any other metric that may be used to determine where to forward a data packet based in part on the amount of load on the processor.

The flow distributor 550 can distribute network traffic over the cores 505 according to a distribution, computation, or load balancing method as described herein. In one embodiment, the flow distributor may distribute network traffic based on a function parallel mechanism distribution scheme 550, a data parallel mechanism load distribution scheme 540, a flow-based data parallel mechanism distribution scheme 520, or any combination of these distribution schemes, or any load balancing scheme for distributing load across multiple processors. Thus, the flow distributor 550 can act as a load distributor by receiving data packets and distributing the data packets across the processors according to a load balancing or distribution scheme of operations. In one embodiment, the flow distributor 550 may include one or more operations, functions, or logic to determine how to distribute packets, jobs, or loads accordingly. In yet another embodiment, the flow distributor 550 may include one or more sub-operations, functions, or logic that may identify a source address and a destination address associated with a data packet and distribute the packet accordingly.

In some embodiments, the flow distributor 550 can include a receive side adaptation (RSS) network driver module 560 or any type and form of executable instructions to distribute data packets across one or more cores 505. The RSS module 560 may include any combination of hardware and software. In some embodiments, the RSS module 560 and the flow distributor 550 work in conjunction to distribute data packets across multiple processors in a core 505A-N or a multi-processor network. The RSS module 560 may execute in the NIC 552 in some embodiments, and on any one of the cores 505 in other embodiments.

In some embodiments, the RSS module 560 uses the Microsoft receive side adaptation (RSS) method. In one embodiment, RSS is Microsoft Scalable Networking initiative technology (Microsoft Scalable Networking technology) that enables receive processing to be balanced across multiple processors in a system while maintaining sequential delivery of data. RSS may use any type or form of hashing scheme to determine the core or processor to use to process the network packet.

The RSS module 560 may apply any type or form of hash function, such as the Toeplitz hash function. The hash function may be applied to a hash type value or any sequence of values. The hash function may be a secure hash of any security level or otherwise encrypted. The hash function may use a hash key. The size of the key depends on the hash function. For Toeplitz hashing, the hash key size for IPv6 is 40 bytes and the hash key size for IPv4 is 16 bytes.

The hash function may be designed or constructed based on any one or more criteria or design goals. In some embodiments, hash functions may be used that provide evenly distributed hash results for different hash inputs and different hash types, including TCP/IPv4, TCP/IPv6, IPv4, and IPv6 headers. In some embodiments, a hash function may be used that provides a uniformly distributed hash result when a small number of buckets are present (e.g., 2 or 4). In some embodiments, a hash function may be used that provides a randomly distributed hash result when a large number of buckets are present (e.g., 64 buckets). In some embodiments, the hash function is determined based on a computation or resource usage level. In some embodiments, the hash function is determined based on the ease with which the hash is implemented in hardware. In some embodiments, the hash function is determined based on how easily it is to send packets with malicious remote hosts that all hash into the same bucket.

RSS can generate hashes from any type and form of input, such as a sequence of values. The sequence of values may include any portion of the network packet, such as any header, field, or payload of the network packet or a portion thereof. In some embodiments, the hash input may be referred to as a hash type, and may include any tuple of information associated with a network packet or data flow, such as the following types: a quadruple comprising at least two IP addresses and two ports, a quadruple comprising any quadruple of values, a six-tuple, a two-tuple, and/or any other sequence of numbers or values. The following are examples of hash types that may be used by RSS:

A quadruplet of source TCP port, source IP version 4(IPv4) address, destination TCP port and destination IPv4 address.

A quadruplet of source TCP port, source IP version 6(IPv6) address, destination TCP port and destination IPv6 address.

A duplet of source IPv4 address and destination IPv4 address.

A duplet of source IPv6 address and destination IPv6 address.

A duplet of source IPv6 address and destination IPv6 address, including support for parsing IPv6 extension headers.

The hash result, or any portion thereof, may be used to identify a core or entity, such as a packet engine or VIP, for distributing network packets. In some embodiments, one or more hash bits or masks may be applied to the hash result. The hash bit or mask may be any number of bits or bytes. The NIC may support arbitrary bits, e.g., 7 bits. The network stack may set the actual number of bits to be used at initialization. The number of bits is between 1 and 7, inclusive.

The cores or entities may be identified with the hash result by any type and form of table, such as by bucket tables (bucket tables) or indirect tables (intervention tables). In some embodiments, the table is indexed by the number of bits of the hash result. The range of the hash mask may effectively define the size of the indirection table. Any portion of the hash result or the hash result itself may be used to index the indirection table. The values in the table may identify any core or processor, such as by a core or processor identifier. In some embodiments, all cores of the multi-core system are identified in the table. In other embodiments, a portion of the cores of the multi-core system are identified in the table. The indirection table may include any number of buckets, e.g., 2 to 128 buckets, which may be indexed with a hash mask. Each bucket may include a range of index values that identify a core or processor. In some embodiments, the flow controller and/or the RSS module may rebalance the network load by changing the indirection table.

In some embodiments, the multi-core system 575 does not include an RSS driver or RSS module 560. In some of these embodiments, a software manipulation module (not shown) or software embodiment of an intra-system RSS module may operate in conjunction with or as part of the flow distributor 550 to direct packets to the cores 505 in the multi-core system 575.

In some embodiments, the flow distributor 550 executes in any module or program on the appliance 200, or on any one of the cores 505 and any device or component included in the multi-core system 575. In some embodiments, the flow distributor 550' may execute on the first core 505A, while in other embodiments, the flow distributor 550 "may execute on the NIC 552. In other embodiments, an instance of the flow distributor 550' may execute on each core 505 included in the multi-core system 575. In this embodiment, each instance of the flow distributor 550 'can communicate with other instances of the flow distributor 550' to forward packets back and forth between the cores 505. There are situations where the response to the request packet is not handled by the same core, i.e. the first core handles the request, while the second core handles the response. In these cases, the instance of the flow distributor 550 'can intercept the packet and forward the packet to the desired or correct core 505, i.e., the flow distributor 550' can forward the response to the first core. Multiple instances of the flow distributor 550' may execute on any number of cores 505 or any combination of cores 505.

The flow distributor may operate in response to any one or more rules or policies. A rule may identify a core or packet processing engine that receives a network packet, data, or data flow. The rules may identify any type and form of tuple information related to the network packet, such as source and destination IP addresses and a quadruple of source and destination ports. Based on the received packet matching the tuple specified by the rule, the flow distributor may forward the packet to the core or the packet engine. In some embodiments, packets are forwarded to cores via shared memory and/or core-to-core messaging.

Although FIG. 5B illustrates the flow distributor 550 executing in the multi-core system 575, in some embodiments, the flow distributor 550 may execute on a computing device or apparatus that is located remotely from the multi-core system 575. In such an embodiment, the flow distributor 550 may communicate with the multi-core system 575 to receive data packets and distribute the packets across one or more cores 505. In one embodiment, the flow distributor 550 receives a data packet destined for the appliance 200, applies a distribution scheme to the received data packet, and distributes the data packet to one or more cores 505 of the multi-core system 575. In one embodiment, the flow distributor 550 can be included in a router or other device such that the router can destination a particular core 505 by changing the metadata associated with each packet so that each packet is destined for a child node of the multi-core system 575. In such an embodiment, each packet with the appropriate metadata may be changed or marked with the vn-tag mechanism of CISCO.

FIG. 5C illustrates an embodiment of a multi-core system 575 including one or more processing cores 505A-N. Briefly, one of the cores 505 may be designated as a control core 505A and may serve as a control plane 570 for the other cores 505. The other cores may be secondary cores that operate in the data plane, while the control core provides the control plane. The cores 505A-N share a global cache 580. The control core provides a control plane and the other cores in the multi-core system form or provide a data plane. These cores perform data processing functions on network traffic, while the control cores provide initialization, configuration, and control of the multi-core system.

Still referring to FIG. 5C, in particular, the cores 505A-N and the control core 505A may be any of the processors described herein. Further, the cores 505A-N and control core 505A may be any processor capable of operating in the system described in FIG. 5C. Additionally, cores 505A-N may be any core or group of cores described herein. The control core may be a different type of core or processor than the other cores. In some embodiments, the control core may operate a different packet engine or have a different packet engine configuration than the packet engines of other cores.

Any portion of each core's memory may be allocated to or used as a global cache shared by the cores. In short, a predetermined percentage or predetermined amount of each memory of each core may be used as a global cache. For example, 50% of each memory of each core may be used or allocated as a shared global cache. That is, in the illustrated embodiment, 2GB of each core other than control plane core or core 1 may be used to form a 28GB shared global cache. Configuring the control plane, for example by configuring a service, may determine the amount of storage for the shared global cache. In some embodiments, each core may provide a different amount of storage for use by the global cache. In other embodiments, either core may not provide any memory or use a global cache. In some embodiments, any core may also have a local cache in memory that is not allocated to the global shared memory. Each core may store any portion of the network traffic in the global shared cache. Each core may examine the cache for any content to be used in a request or response. Any core may obtain content from the global shared cache for use in a data stream, request, or response.

The global cache 580 may be any type or form of memory or storage element such as any of the memory or storage elements described herein. In some embodiments, the core 505 may have access to a predetermined amount of storage (i.e., 32GB or any other amount of storage comparable to the system 575). The global cache 580 may be allocated from a predetermined amount of memory while the remaining available memory may be allocated among the cores 505. In other embodiments, each core 505 may have a predetermined amount of storage. The global cache 580 may include an amount of storage allocated to each core 505. This amount of memory may be measured in bytes, or may be measured in the percentage of memory allocated to each core 505. Thus, the global cache 580 may include 1GB of memory from the memory associated with each core 505, or may include 20% or half of the memory associated with each core 505. In some embodiments, only a portion of the cores 505 provide memory to the global cache 580, while in other embodiments the global cache 580 may include memory that is not allocated to the cores 505.

Each core 505 may use the global cache 580 to store network traffic or cache data. In some embodiments, the packet engines of the cores use a global cache to cache and use data stored by multiple packet engines. For example, the cache manager of fig. 2A and the cache function of fig. 2B may use a global cache to share data for acceleration. For example, each packet engine may store a response, such as HTML data, in a global cache. Any cache manager operating on a core may access the global cache to provide cache responses to client requests.

In some embodiments, the core 505 may use the global cache 580 to store a port allocation table, which may be used to determine data flow based in part on ports. In other embodiments, the core 505 may use the global cache 580 to store an address lookup table or any other table or list that the flow distributor may use to determine where to direct incoming and outgoing data packets. In some embodiments, the core 505 may read from or write to the cache 580, while in other embodiments, the core 505 only reads from or only writes to the cache. The cores may use a global cache to perform core-to-core communications.

The global cache 580 may be partitioned into various memory portions, where each portion may be dedicated to a particular core 505. In one embodiment, the control core 505A may receive a large amount of available cache, while the other cores 505 may receive varying amounts of access to the global cache 580.

In some embodiments, system 575 may include control core 505A. Although FIG. 5C shows core 1505A as the control core, the control core may be any one of the appliance 200 or a multi-core system. Further, although only a single control core is depicted, system 575 may include one or more control cores, each having some degree of control over the system. In some embodiments, one or more control cores may each control a particular aspect of system 575. For example, one core may control which distribution scheme is used, while another core may determine the size of the global cache 580.

The control plane of a multi-core system may be a management core that designates and configures one core as a dedicated core or as a master core. The control plane core may provide control, management, and coordination of the operations and functions of the multiple cores in the multi-core system. The control plane core may provide control, management, and coordination of the allocation and use of the memory system on multiple cores in a multi-core system, including initialization and configuration of the memory system. In some embodiments, the control plane includes a flow distributor to control the allocation of data flows to cores and the allocation of network packets to cores based on data flow. In some embodiments, the control plane core runs a packet engine, in other embodiments, the control plane core is dedicated to the control and management of other cores of the system.

The control core 505A may have some level of control over the other cores 505, such as determining how much memory is allocated to each core 505 or determining which core should be assigned to handle a particular function or hardware/software entity. In some embodiments, the control core 505A may control these cores 505 in the control plane 570. Thus, there may be processors outside of the control plane 570 that are not controlled by the control core 505A. Determining the boundaries of the control plane 570 may include an agent executing in the control core 505A or system 575 maintaining a list of cores controlled by the control core 505A. The control core 505A may control any of the following: core initialization, determining when a core is unavailable, reallocating load to other cores when a core fails 505, deciding which distribution scheme to implement, deciding which core should receive network traffic, deciding how much cache should be allocated to each core, determining whether to distribute a particular function or element to a particular core, determining whether to allow cores to communicate with each other, determining the size of global cache 580, and any other determination of the function, configuration, or operation of cores within system 575.

F.System and method for providing a distributed cluster architecture

As discussed in the previous section, to overcome the limitations of transistor spacing and CPU speed increases, many CPU manufacturers have incorporated multi-core CPUs to improve performance over what can be achieved by even single-core, higher speed CPUs. Similar or further performance improvements may be obtained by operating multiple (single-core or multi-core) devices together as a distributed or clustered device. The individual computing devices or apparatuses may be referred to as nodes of a cluster. A centralized management system may perform load balancing, distribution, configuration, or other tasks that allow the nodes to operate together as a single computing system. In many embodiments, a cluster may be considered a single virtual appliance or computing device, external or to other devices (including servers and clients), albeit with capabilities exceeding those of typical standalone devices.

Referring now to FIG. 6, an embodiment of a cluster of computing devices or appliances 600 is described. Multiple appliances 200a-200n, such as desktop computers, servers, rack-mounted servers, blade servers, or any other type and form of computing device, or other computing devices (sometimes referred to as nodes), may be joined in a single appliance cluster 600. Although referred to as a cluster of appliances, in many embodiments the cluster may operate as an application server, a network storage server, a backup server, or without limitation any other type of computing device. In many embodiments, the cluster of appliances 600 may be used to perform multiple functions of the appliance 200, WAN optimization device, network acceleration device, or other devices described above.

In some embodiments, the cluster of appliances 600 may comprise a homogeneous set of computing devices, such as the same appliance, a blade server within one or more chassis, a desktop or rack-mounted computing device, or other device. In other embodiments, the appliance cluster 600 may include a heterogeneous or mixed set of appliances, including different models of appliances, mixed appliances and servers, or any other set of computing appliances. This may allow the cluster of devices 600 to be extended or upgraded over time, for example, with new models or equipment.

In some embodiments, as described above, each computing device or appliance 200 of the appliance cluster 600 may include a multi-core appliance. In many such embodiments, the core management and flow distribution methods discussed above may be utilized by each individual device in addition to the node management and distribution methods discussed herein. This can be viewed as a two-tier distributed system, where one device contains data and distributes the data to multiple nodes, and each node contains data for processing and distributes the data to multiple cores. Thus, in this embodiment, the node distribution system does not need to manage flow distribution to the independent cores, as may be taken care of by the master or control core as described above.

In many embodiments, the equipment cluster 600 may be physically aggregated, such as multiple blade servers in one chassis or multiple rack-mounted devices in a single rack, but in other embodiments the equipment cluster 600 may be distributed among multiple chassis, multiple racks, multiple rooms in a data center, multiple data centers, or any other physical arrangement. Thus, the device cluster 600 may be considered a virtual device aggregated via common configuration, management, and purpose, rather than a physical group.

In some embodiments, the device cluster 600 may be connected to one or more networks 104, 104'. For example, referring briefly back to FIG. 1A, in some embodiments, the appliance 200 may be deployed between a network 104 connected to one or more clients 102 and a network 104' connected to one or more servers 106. The device cluster 600 may be similarly deployed to operate as a single device. In many embodiments, this may not require any network topology changes outside of device cluster 600, allowing easy installation or expansion from a single device scenario. In other embodiments, the device cluster 600 may be similarly deployed as shown in FIGS. 1B-1D or as described above. In other embodiments, a cluster of devices may include multiple virtual machines or processes executed by one or more servers. For example, in one such embodiment, a server farm may execute multiple virtual machines, each configured as a appliance 200, and the multiple virtual machines operate in concert as an appliance cluster 600. In other embodiments, the appliance cluster 600 may include a mix of appliances 200 or virtual machines configured as appliances 200. In some embodiments, the cluster of devices 600 may be geographically distributed, where multiple devices 200 are not co-located. For example, referring back to fig. 6, in one such embodiment, the first appliance 200a may be located at a first site (e.g., a data center) and the second appliance 200b may be located at a second site (e.g., a central office or business headquarters). In further embodiments, the geographically remote devices may be connected through a private network (e.g., a T1 or T3 point-to-point connection), a VPN, or any other type and form of network. Thus, although there may be additional communication delays, there may be reliability, scalability, or other benefits in the event of a site power failure or communication disruption as compared to co-located devices 200a-200 b. In some embodiments, latency issues may be reduced by geographic or network-based distribution of data flows. For example, while configured as a cluster of devices 600, communications from clients and servers of an enterprise headquarters may be directed to the devices 200b deployed at the site, load balancing may be measured by location, or similar steps may be taken to mitigate any delays.

Still referring to fig. 6, the device cluster 600 may connect to a network via a client data plane 602. In some embodiments, the client data plane 602 may include a communication network, such as network 104, that transports data between clients and the device cluster 600. In some embodiments, the client data plane 602 may include a switch, hub, router, or other network device that bridges the external network 104 and the plurality of appliances 200a-200n of the appliance cluster 600. For example, in one such embodiment, a router may be connected to the external network 104 and to the network interface of each appliance 200a-200 n. In some embodiments, this router or switch may be referred to as an interface manager, and may also be configured to distribute traffic evenly across the nodes in the application cluster 600. Thus, in many embodiments, the interface master (master) may comprise a flow distributor external to the device cluster 600. In other embodiments, the interface master may comprise one of the devices 200a-200 n. For example, the first appliance 200a may act as an interface master, receiving incoming traffic for the cluster of appliances 600, and distributing the traffic across each of the appliances 200b-200 n. In some embodiments, return traffic may similarly flow through each of the appliances 200b-200n via the first appliance 200a acting as an interface master. In other embodiments, return traffic from each of the appliances 200b-200n may be transmitted to the network 104, 104' directly or via an external router, switch, or other means. In some embodiments, the devices 200 of a device cluster that do not act as an interface master may be referred to as an interface slave.

The interface master may perform load balancing or traffic distribution in any of a variety of ways. For example, in some embodiments, the interface master may include a router that performs equal cost multi-path (ECMP) routing of a next hop configured with a device or node of the cluster. The interface master may use Open Shortest Path First (OSPF). In some embodiments, the interface master may use a stateless hash-based mechanism for traffic distribution, e.g., a hash based on an IP address or other packet information tuple as described above. Hash keys and/or salt values may be selected for even distribution across nodes. In other embodiments, the interface master may perform flow distribution via Link Aggregation (LAG) protocol or any other type and form of flow distribution, load balancing, and routing.

In some embodiments, the device cluster 600 may connect to a network via the server data plane 604. Similar to the client data plane 602, the server data plane 604 may include a communication network, such as network 104', that transfers data between servers and the cluster of devices 600. In some embodiments, the server data plane 604 may include switches, hubs, routers, or other network devices that bridge the external network 104' and the multiple appliances 200a-200n of the appliance cluster 600. For example, in one such embodiment, a router may be connected to external network 104' and to the network interface of each appliance 200a-200 n. In many embodiments, each appliance 200a-200n may include multiple network interfaces, a first network interface connected to the client data plane 602 and a second network interface connected to the server data plane 604. This may provide additional security and prevent direct interfacing of the client and server networks by having the appliance cluster 600 act as an intermediary. In other embodiments, the client data plane 602 and the server data plane 604 may be merged or combined. For example, the appliance cluster 600 may be deployed as a non-intermediate node on a network having clients 102 and servers 106. As discussed above, in many embodiments, an interface master may be deployed on the server data plane 604 in order to route and distribute communications from the servers and the network 104' to each device of the device cluster. In many embodiments, the interface master device for the client data plane 602 and the interface slave device for the server data plane 604 may be similarly configured to perform the ECMP or LAG protocol as described above.

In some embodiments, each appliance 200a-200n in the appliance cluster 600 may be connected via an internal communication network or backplane (back plane) 606. The backplane 606 may include a communication network for inter-node or inter-device control and configuration messages and for inter-node traffic forwarding. For example, in one embodiment where a first appliance 200a communicates with a client via network 104 and a second appliance 200b communicates with a server via network 104', communications between the client and the server may flow from the client to the first appliance, from the first appliance to the second appliance via backplane 606, and from the second appliance to the server, or vice versa. In other embodiments, backplane 606 may transmit configuration messages (e.g., interface pause or reset commands), policy updates (e.g., filtering or compression policies), status messages (e.g., buffer status, throughput, or error messages), or any other type and form of inter-node communication. In some embodiments, the RSS key or hash key may be shared by all nodes in the cluster and may be transmitted via the backplane 606. For example, the first node or master node may select an RSS key (e.g., at startup or boot time) and may distribute the key for use by other nodes. In some embodiments, backplane 606 may comprise a network between network interfaces of each appliance 200, and may comprise a router, switch, or other network device (not shown). Thus, in some embodiments and as described above, routers of client data plane 602 may be deployed between device cluster 600 and network 104, routers of server data plane 604 may be deployed between device cluster 600 and network 104', and routers of back plane 606 may be deployed as part of device cluster 600. Each router may be connected to a different network interface of each appliance 200. In other embodiments, one or more planes 602-606 may be combined, or a router or switch may be split into multiple LANs or VLANs to connect to different interfaces of devices 200a-200n and provide multiple routing functions simultaneously, thereby reducing complexity or eliminating additional devices from the system.

In some embodiments, a control plane (not shown) may communicate configuration and control traffic from an administrator or user to the device cluster 600. In some embodiments, the control plane may be a fourth physical network, while in other embodiments the control plane may include a VPN, a tunnel, or communications via one of planes 602 and 606. Thus, in some embodiments, the control plane may be considered a virtual communication plane. In other embodiments, the administrator may provide configuration and control through a separate interface, such as a serial communication interface (e.g., RS-232), a USB communication interface, or any other type and form of communication. In some embodiments, the device 200 may include an interface for management, such as a front plane with buttons and displays, a web server for configuration via the network 104, 104' or the back plane 606, or any other type and form of interface.

In some embodiments, as discussed above, the appliance cluster 600 may include internal flow distribution. This may allow, for example, nodes to join/leave transparently to external devices. To avoid the need to repeatedly reconfigure the external flow distributor for this change, a node or device may act as an interface master or distributor to direct network packets to the correct node within cluster 600. For example, in some embodiments, when a node leaves a cluster (e.g., upon failure, reset, or the like), the external ECMP router may identify the change in the node and may reprocess all flows, thereby redistributing traffic. This can result in disconnecting and resetting all connections. The same disconnection and reset occurs when a node rejoins. In some embodiments, for reliability, two devices or nodes within the device cluster 600 may receive communications from external routers via a connection image.

In many embodiments, flow distribution among the nodes of the appliance cluster 600 may use any of the methods described above for flow distribution among the cores of the appliance. For example, in one embodiment, a master device, master node, or interface master device may calculate an RSS hash (e.g., Toeplitz hash) for incoming traffic and query a preference list or distribution table for the hash. In many embodiments, the flow distributor may provide the hash to the receiving device when forwarding the traffic. This may eliminate the need for the node to recalculate the hash used to distribute the flow to the cores. In many such embodiments, the RSS key used to compute the hash for distribution between devices may comprise the same key used to compute the hash for distribution between cores, which may be referred to as a global RSS key, which allows the computed hash to be reused. In some embodiments, the hash may be computed with an incoming transport layer header including a port number, an internet layer header including an IP address, or any other tuple of packet header information. In some embodiments, packet body information may be used for the hash. For example, in one embodiment in which traffic of one protocol is encapsulated within traffic of another protocol (e.g., lossy UDP traffic encapsulated via lossless TCP headers), the flow distributor may compute the hash based on the encapsulated protocol's headers (e.g., UDP headers) instead of the encapsulating protocol (e.g., TCP headers). Similarly, in some embodiments where packets are encapsulated and encrypted or compressed, the flow distributor may compute a hash based on the header of the payload packet after decryption or decompression. In other embodiments, the node may have an internal IP address, such as for configuration or management purposes. Traffic destined for these IP addresses need not be hashed and distributed, but rather can be forwarded to the node owning the destination address. For example, the device may have a web server or other server running at IP address 1.2.3.4 for configuration or management purposes, and in some embodiments, may register this address as its internal IP address with the flow distributor. In other embodiments, the flow distributor may assign an internal IP address to each node within the appliance cluster 600. Traffic arriving from an external client or server (e.g., a workstation used by an administrator) directed to the device's internal IP address (1.2.3.4) can be forwarded directly without hashing.

G.System and method for maintaining sessions via an intermediary device

The present disclosure relates to systems and methods for maintaining sessions via an intermediary device. More particularly, the present solution relates to a system and method for restoring application sessions when a primary device fails using a large amount of dynamic state maintained in a standby intermediary device. An intermediary may refer to an active-standby device pair (or an intermediary pair) that includes a first intermediary (or first apparatus) and a second intermediary (or second apparatus). The first device may be in an active mode in which the first device actively services requests from the client by parsing packets received from the client, provides response packets received from the server to the client, or otherwise provides the client with access to an application executed by the server. In some cases, the first device of the pair of intermediary devices initially configured in active mode may be referred to as the master device. The pair of intermediate devices may include a second apparatus initially configured in a standby mode. The second device may not actively service the request from the client device. The second device may be referred to as a slave device because it is in standby mode and does not actively service requests received from the client or provide responses received from the server to the client. If the master fails, stops responding, shuts down for periodic maintenance, or is otherwise unable to process requests received from the client device, is unable to forward responses received from the server, or is otherwise unable to provide the client device with the appropriate access to the application executed by the server to enable the client to interact with the application, the slave device may become the new master and service the client device by processing client requests.

The intermediary may be configured to perform deep packet inspection on the application network traffic. Application traffic may refer to packets received from a client to process or to provide to a server, or packets received from a server to process or to provide to a client. The intermediary may perform deep packet inspection to gain visibility into session state or to facilitate troubleshooting or troubleshooting problems. In such a deployment, a client device accessing an application or desktop session via an application server protocol (e.g., independent computing architecture "ICA") may disconnect from the session if the master fails and the slave becomes the new master. The client device may have to re-log into the session to access an application or desktop session provided by the server via the intermediary device.

) To provide high availability of application resources. In the active-standby device pair, the first intermediary device actively provides service to the client device while the second intermediary device remains in standby mode. For example, in some embodiments, a first intermediary device may be in an active mode and may parse and process an application session, such as an ICA session. The first intermediary device may be paired with a second intermediary device in a standby mode. The first intermediary device may maintain important state information, which may be dynamic andand changes on a per packet basis (e.g., as each packet is being processed). If the first intermediary device fails, the standby device may become the new primary device. The slave device may become the new master device and continue the session without affecting the user experience provided by the client device.

The intermediary pair (e.g., the first intermediary and the second intermediary) may be configured to provide visibility of a session between the client device and a server providing the application. For example, the intermediary device may provide visibility into a protocol (e.g., an ICA protocol or a high definition experience "HDX" protocol) for troubleshooting or analysis purposes. To resolve the protocol, the device manages a large amount of state information within the device. The state information may include, for example, information resulting from parsing the ICA protocol, parsing the common gateway protocol ("CGP"), decrypting and re-encrypting the ICA frame, or decompressing the ICA frame. Thus, the state information maintained by the intermediate device may be very large (e.g., 5 megabytes, 50 megabytes, 100 megabytes, 500 megabytes, or 1 gigabyte), and this state information may change with one or more packets processed by the intermediate device (e.g., may change with each processed packet).

The master intermediary device may maintain a state for each session in a memory of the master intermediary device. Because of the size of the state that is updated on a per packet basis, it may be challenging or impossible for the master intermediary device to share the state with or update the state in the external device (e.g., another intermediary device). If the master intermediary device is unable to share state with or update state in the external device, the state maintained in the memory of the master intermediary device may be lost while the master intermediary device is offline. When the master intermediary goes offline, the connection (e.g., a transmission control protocol "TCP" connection) of the master intermediary may be reset. When the connection between the client device and the master intermediary device is reset, an agent executing on the client device may initiate a session reconnection. A new connection (e.g., a TCP connection) established via a proxy-initiated session reconnection of a client device may be logged in or established through a new primary intermediary device (e.g., a second intermediary device that was previously in standby mode). If the new master intermediary device does not have state information about the session, the new master intermediary device may not be able to resume the session. The system and method of the present solution may allow a second intermediary device (or slave device) to maintain a state on the second device consistent with the master intermediary device while in standby mode. Thus, when the master intermediary goes offline and the slave intermediary takes over the new master role, the slave intermediary can support and continue session reconnection initiated by the client agent.

In some embodiments, both the master intermediary device and the slave intermediary device may be in a ready state. The ready state may indicate that the device is ready to parse packets carrying application protocol data and application session metadata. During application startup, an agent executing on a client device may issue a request to connect to a backend server or host via a master intermediary device over a protocol connection. The master intermediary may detect the request to initiate the connection and launch an application corresponding to the new protocol connection, and the master intermediary may parse and process the request.

When the master intermediary parses and processes a request or other data packet from an agent executing on a client device, the master intermediary may detect that the slave intermediary is in a ready state. In response to detecting that the slave intermediary is in the ready state, the master intermediary may mark the session as an updated state and also forward application protocol data and application session metadata corresponding to the request or data packet to the slave intermediary. The application protocol data and application session metadata may be collectively referred to as application data. Application protocol data may refer to high definition experience ("HDX") protocol data. Application session data may refer to HDX session metadata. The application data may be received from the intermediary device and parsed or application protocol data or application session metadata therein.

Thus, by forwarding application data from the master device to the slave device and instructing the slave device to parse the same application protocol data as the master intermediary device, the systems and methods of the present solution may maintain the same session state in both the master intermediary device and the slave intermediary device. By maintaining the same session state in both the master intermediary and the slave intermediary, the slave intermediary may seamlessly take over when the master intermediary fails or otherwise becomes unresponsive. For example, when the master intermediary device fails, all TCP connections may be reset. A proxy executing on the client device sends a request to establish a new CGP/ICA connection through a session reconnection procedure. The new connection may be registered with a new master intermediary device (e.g., a slave intermediary device previously in standby mode). The new master intermediary device may examine, process, or analyze the session reconnection to identify and retrieve session state information associated with the session reconnection. When the new master device is the slave intermediary device, the new master device may have created and maintained the session state information via packet retransmission from a previous (e.g., original or initial) master intermediary device.

Referring now to fig. 7A, a block diagram of an embodiment of a system for maintaining a session is shown. The system 700 includes an active-standby device pair 740 that includes a first intermediary 200a and a second intermediary 200 b. In some cases, the active-standby device pair 740 may be referred to as one device pair 740, a device pair 740, an intermediate device pair 740, or an apparatus 740. The device pair 740 may include one or more functions or components of the application cluster 600 as shown in fig. 6. The first device 200a of the active-standby pair 740 may be referred to as a first intermediary device 200a, a master device 200a, an initial master device 200a, or an original master device 200 a. The second device 200b of the active-standby pair 740 may be referred to as a second intermediary device 200b, a secondary intermediary device 200b, a second device 200b, an initial standby device 200b, and a new primary device 200 b.

Intermediary

200a and 200b or device pair 740 is located in between the plurality of servers 106a-n and the plurality of clients 102 a-n. The

appliances

200a and 200b may manage or optimize the delivery of website content, services, resources, or applications provided via the servers 106a-n over the network 104 or 104' by providing application level security, optimization, or traffic management. The client 102 may include one or more components or functions of the client 102. The server 106 may include one or more components or functions of the server 106. The

intermediary apparatuses

200a and 200b may be the same as or similar to the apparatus 200 described above in connection with fig. 1-6, or include one or more functions therein or components thereof. The device pair 740 may be the same as or similar to the device cluster 600 described above in connection with fig. 1-6, or include one or more functions therein or components thereof. In some embodiments, the clients 102a-n are the same as or similar to the clients 102a-n described above in connection with FIGS. 1-6 or include one or more functions or components thereof, and the servers 106a-n are the same as or similar to the servers 106a-n described above in connection with FIGS. 1-6 or include one or more functions or components thereof. In some embodiments, the client 102 and server 106 of the system 700 are also configured to perform functions or provide features for authenticating clients.

Still referring to fig. 7A, and in more detail, the device pair 740 includes an interface 705. The interface 705 may include an application programming interface, a graphical user interface, a communications port, or be configured with one or more communication or network protocols, such as TCP/IP, etc. The interface 705 may be configured to receive or intercept data packets, receive data packets, monitor network traffic, or otherwise obtain or transmit/communicate information via the network 104 or the network 104'.

In some embodiments, the interface 705 receives requests from a client 102a of the plurality of clients 102 a-n. The interface 705 may receive the request via a network protocol, a communication protocol, an application layer protocol, a transport protocol, or an encryption protocol. The protocol may include, for example, HTTP, TCP, ICA, or HDX. The protocol may be a stateful protocol or a stateless protocol. The request may include information about the client or about the resource that the client 102a is requesting access to. In some embodiments, the resource provided by the servers 106a-n may be a secure resource for which the client or a user of the client device may require authentication, authorization, or approval before access is authorized.

In some embodiments, the device pair 740 may include an interface 705 designed and constructed to receive network communications from one or more clients 102 a-n. The interface 705 may be the same as or similar to the interfaces 608 or 610a-n described above in connection with fig. 1-6, or include one or more functions or components thereof. The interface 705 may receive data packets from the client 102a, for example, via the client agent 120 a. The interface 705 may forward or relay data packets received from the client 102a to the first device 200 a. For example, the interface 705 may be configured to automatically forward data packets received from the client agent 120a to the first appliance 200 a. The interface 705 may also be configured to forward or relay data packets to the master device 200 a. The master device 200a may refer to the intermediary device of the active-standby intermediary pair 740 that is currently in the active mode. Thus, interface 705 may determine which of intermediary 200a and 200b is currently the master that is configured to actively service requests from client agent 120 and forward the requests to the master.

To determine which of the intermediary devices 200a-b is currently the master device, the interface 705 may maintain information in memory regarding the role of the intermediary devices 200 a-b. For example, the interface 705 may poll one or more of the

intermediary devices

200a and 200b and identify, determine or receive an indication as to which device is the active master. The interface 705 may save the indication in a role data structure in memory of the interface 705. The interface 705 may poll the intermediary devices 200a-b based on a time interval (e.g., every second, 5 seconds, 10 seconds, 60 seconds, 5 minutes, 10 minutes). In another example, the interface 705 may poll the intermediary apparatuses 200a-b in response to an event, condition, or trigger. For example, the interface 705 may attempt to forward packets from the client agent 120 to the intermediary 200a, but may find the intermediary 200a offline or otherwise unresponsive. The interface 705 may update the character data structure in the memory of the interface 705 with the update information. In response to determining that intermediary 200a is offline or unresponsive, interface 705 may forward the received data packet to a second intermediary 200b, which second intermediary 200b may act as the new master 200 b.

First intermediary 200a and second intermediary 200b may comprise one or more components or functions of apparatus 200. The first intermediary 200a may comprise a monitor 710a, a packet engine 715a, and a data repository 720 a. Data repository 720a may contain or hold session data 725a, mode information 730a, and parameters 735 a. The second intermediary 200b may comprise a monitor 710b, a packet engine 715b, and a data repository 720 b. Data repository 720b may contain or hold session data 725b, mode information 730b, and parameters 735 b. Monitor 710a may include digital circuitry, hardware, one or more processors, memory, or software designed, constructed, and configured to detect or determine a session state, determine a device mode, or update a state or mode. Packet engines 715a-b may include digital circuitry, hardware, one or more processors, memory, or software designed, constructed, and configured to parse or process data packets. Packet engines 715a-b may be the same as or similar to packet engine 240 described above in connection with fig. 1-6, or include one or more functions therein or components thereof.

Each device 200a-b may be associated with or correspond to a device mode or mode. The mode of the devices 200a-b may be one of active or standby. The pattern may change over time or during a session. An active mode may refer to a mode in which the appliance 200a actively services the client 102 by parsing and processing requests or data packets received from the client or its client agent 120. In the active mode, the appliance 200a receives data packets from the client 102, parses and processes the packets, and forwards data corresponding to the processed packets to the corresponding server 106 a-n. In the active mode, the device may maintain a session state in a memory of the device. The device 200a in active mode may then receive the response from the server 106, parse and process the response, and forward data corresponding to the response to the same client 102.

In the standby mode, a device (e.g., device 200b) may receive data corresponding to data packets received from a client and parse and process the data to maintain session state in a memory of device 200 b. In the standby mode, the device 200b may maintain the same session state as that maintained in the memory of the device in the active mode (e.g., device 200 a). However, when in standby mode, the device 200b may not actively service client requests by responding to the client requests or sending requests to the server 106.

A first device 200a in an active mode may be communicatively coupled or interfaced with a second device 200b in a standby mode. The first and second devices 200a-b may store the mode information in corresponding mode data structures 730 a-b. For example, the first device 200a may include a data repository 720a or storage unit 720a that contains a schema data structure 730 a. The schema data structure 730a may include a data field or a parameter field for the schema. The parameter field may hold the value of the mode, e.g., active or standby. The parameter field may include other values, terms, characters, symbols, strings, or binary indicators that may indicate whether the device is in active or standby mode. For example, the term running, operating or service may indicate an active mode. For example, the terms passive, waiting, or standby may indicate that the device is in standby mode.

Monitor 710a may be configured to determine whether an apparatus 200a-b is in a ready state or an not ready (or not ready) state. A ready state may refer to a state of a device indicating that the device is ready to parse data corresponding to a data packet in order to maintain a state of a session with a client device in a memory of the device. The ready state may be different from the active mode. For example, a device in standby mode may be in a ready state. When a device is in standby mode and ready state, the device may not be actively servicing client requests, but may still maintain session state in the device's memory. For example, a device in standby mode and ready state may receive application protocol data and application session metadata to maintain the same state of applications accessed via sessions provided by the device in active mode in a memory of the device.

To determine whether a device is in a ready state, monitor 710 can query the device. For example, monitor 710a of first device 200a may query second device 200b with a status request. In response to receiving the request, the second device 200b may respond to the request with a status update. For example, monitor 710b of second device 200b may determine whether the second device is operable or capable of parsing or processing data packets to maintain a session state. Monitor 710b may initiate or execute a diagnostic routine or test routine that checks system components to see if they are operable or properly configured to maintain a session state. The monitor 710b may also determine whether the second device 200b can resume the session with the client if the first device 200a goes offline. For example, monitor 710b may determine that one or more hardware or software components of second apparatus 200b are running and meet predetermined criteria, thresholds, or status checks. Thus, the monitor 710b may determine that the second device 200b is in a ready state and send an indication of the ready state to the first device 200 a. The first device 200a (e.g., via monitor 710a) may receive the indication to detect that the second device 200b is in a ready state.

In some embodiments, the first apparatus 200a may detect that the second apparatus 200b is in the ready state by performing a handshake routine based on a response time or using a configuration file that holds state information. For example, device pair 740 may include accessing, retrieving, or maintaining a configuration file in a data repository that contains a field storing a value indicating whether the apparatus is in a ready state or an unprovisioned or not ready state. The indication of the ready state or the not ready state may include other values, terms, characters, symbols, strings, or binary indicators that may indicate whether the device is in the ready state or the not ready state.

After determining whether the second device 200b is in the ready state or the not ready state, the monitor 710a may mark a session state of a session with the client 102. Monitor 710 may use one or more indicators to mark the session state including, for example, an update state or a disable state. The update status may refer to a status in which the first device forwards or retransmits data corresponding to a data packet received from the client to the second device 200 b. Retransmitting a data packet may refer to retransmitting some or all of the information of the received data packet. For example, the first device 200a may retransmit application protocol data to the second device 200b by transmitting the application protocol data received from the client device to the second device. The first apparatus 200a may buffer the application protocol data and send the buffered version of the application protocol data to the second apparatus 200b, or otherwise forward or retransmit the application data to the second apparatus 200 b. The deactivated state may refer to a state in which the first device 200a does not forward or retransmit data corresponding to a data packet received from the client to the second device 200 b.

Monitor 710a of first device 200a (which is in active mode) may mark the session state as either updated or deactivated in response to determining or detecting whether second device 200b (which is in standby mode) is in ready or not ready state. If the second device 200b is in the ready state, the monitor 710a marks the session state with the update state. If the second device 200b is not ready or in an unprepared or not ready state, the monitor 710a marks the session state with a deactivated state.

Monitor 710a may mark the session state with an updated state or a disabled state by setting the values of parameters saved in data repository 720 a. For example, the session data structure 725a may include a parameter field that stores a value indicating whether the session is in an update state or a deactivate state. In some cases, the data repository 720 may include a parameter data structure 735a that stores a value indicating whether the session is in an update state or a decommissioned state. The session state may apply or be associated with a single session with the client 102. In some cases, the session state may apply or be associated with one or more sessions that the first device 200a is actively managing or servicing. For example, the supervisor 710a may determine that the second apparatus 200b is in the standby mode and the ready state. The monitor 710a may then determine to set the session state with the update state in response to the second device 200b being in the ready state. The monitor 710a may save the session state as a value in the parameter data structure 735 a. The monitor 710a may use or apply the values saved in the parameter data structure 735a to one or more sessions serviced by the first appliance 200 a. For example, if the value indicates that the session state is in an updated state, the first apparatus 200a may forward or retransmit data corresponding to packets of one or more sessions received from one or more client apparatuses to the second apparatus 200b to cause, or allow the second apparatus 200b to maintain the state of the session in the memory of the second apparatus 200 b.

The first appliance 200a may receive packets of the session from the client 102a (e.g., via the client agent 120a) that include application protocol data and application session metadata. Application protocol data may refer to data of a state-based protocol or a stateful protocol. A stateful protocol may refer to a protocol that maintains its internal state on a server or intermediary device so that the protocol functions or provides access to resources. Session state may refer to information that is saved at a given time or after a packet is received and processed, and that a device, application, or session has access to this saved information. State information or state of a session or state of an application may be stored in memory in session data structures 725a-b in data repositories 720 a-b. For example, the state of a session may refer to the state of an application, the state of a desktop session, or the state of a communication channel. For example, the output of an application at a given time may be determined by the current input of the application and the state of the application.

Session state may refer to computer programs that operate serially (or sequentially) on a data stream, such as parsers, firewalls, communication protocols, and encryption programs. The serial program may operate on incoming data characters or packets in sequence, one at a time. In some of these programs, information about previously received data characters or packets is stored in variables in memory (e.g., in session data structures 725 a-b) and used to affect the processing of the current character or packet by packet engines 715 a-b. Thus, in a stateful protocol, the data passed from the previous processing cycle may indicate a state or may be a state.

When utilizing a stateful protocol, the first intermediary or the second intermediary (or both) may allocate memory or memory (e.g., session data 725a-b in data repositories 720 a-b) to handle ongoing transitions or to clear the current state in the event of a client failure in the middle of a transaction. For example, an FTP server may conduct an interactive session with a client using a stateful protocol. During the session, the client is provided with a means to authenticate and set various variables (e.g., working directory or transport mode), which may be stored as part of the client state on the server or an intermediary device.

In some cases, intermediary 200a-b may manage, establish, or handle interactions between stateful and stateless protocols between different protocol layers. For example, HTTP is an example of a stateless protocol at the TCP layer, TCP being a stateful protocol located above the IP layer, IP being another stateless protocol that routes over a network using the border gateway protocol ("BGP"), and BGP being another stateful protocol that is used to direct IP packets over the network.

In some embodiments, the first appliance 200a may receive packets from the client 102 over a stateful protocol. The application protocol may be a TCP/IP based stateful protocol. In some cases, an application protocol may be based on one or more protocols or techniques that provide functionality to efficiently provide access to applications or resources. For example, the application protocol may include functions or techniques such as intelligent redirection, adaptive compression, or deduplication. Intelligent redirection may include, for example, checking the screen activity of the client device, checking application commands, checking the server 106 being accessed, checking the capabilities of the network 104 or 104', or checking the capabilities of the server 106 to determine how or where to present the application or desktop activity. For example, client redirections may offload tasks from the server and place them on the client. Using the device and peripheral directions, the web camera, printer, and scanner can be terminated locally to allow the client device to interact with these devices at native USB speeds.

In some embodiments, the application protocol may be configured to enable or provide adaptive compression. Adaptive compression may set or configure codecs used under different network conditions. Adaptive compression may determine or optimize the utilization of CPU or GPU resources. In some embodiments, the application protocol may be configured to provide deduplication of network traffic. Application protocols may facilitate deduplication of network traffic through multicast and caching techniques. For example, multicasting of a multimedia stream may include delivering a single transmission from the origin server 106 to multiple clients 102 via one-to-many communication. Application protocols may use caching to remove duplicate data from frequently accessed data, including, for example, bitmap graphics, files, print jobs, and streaming media. In some embodiments, the application protocol may be or include a stateful protocol configured to accelerate TCP traffic-based flow by probing and responding to high network delays and packet losses.

In some embodiments, the first appliance 200a receives a packet of a session, the packet including application protocol data and application session metadata. Application protocol data may refer to information, such as variables or other data, that indicates the state of a session and that may be used to maintain or update the state of the session. The application protocol data may include a sequence identifier of the packet. The application protocol data may include data carried by packets received from the client device 102. In some cases, the application protocol data may include data that updates, changes, or modifies the state of the session. For example, the application protocol data may include a directory established for the FTP protocol, network performance metrics for the current network session such as packet loss or delay, a status of a peripheral coupled to the client device, a request to access or interact with the resource, authentication information or status information in a multi-factor authentication process, and so forth. The application session metadata may include, for example, information that may identify the session, a profile of the session, a type of protocol being used, a type of resource, an identifier of the client device 102, an IP address of the client device 102, a source or destination address, a server IP address, an identifier of the resource being accessed, a location, a type of client device (e.g., mobile device, smartphone, laptop, desktop, or tablet), a network type (e.g., cell phone network, 3G network, 4G network, LTE network, WIFI network, or ethernet), a timestamp corresponding to the initiation of the session, or other information about the application session. The application session metadata may include or be based on application protocol data. In some cases, application data may refer to application protocol data and application session metadata.

In some embodiments, the first appliance 200a parses and processes the application protocol data per packet (e.g., via packet engine 715 a). The first device 200a may parse and process the application protocol data and the application session metadata on a per packet basis. The first appliance 200a may parse and process application protocols or application session data to maintain the state of the session in the memory of the first appliance 200a and actively provide services to the client 102. When the first device 200a receives the packet, the first device may also determine whether the session state is in an update state or a deactivation state. For example, the first device 200a (or the second device 200b) may have previously marked the session state as an updated state or a deactivated state. The first device 200a may then determine that the second device 200b is in the ready state. In response to determining that the session state is in the updated state and the second apparatus 200b is in the ready state, the first apparatus 200a may forward or retransmit the application protocol data or the application session metadata (or both) to the second apparatus 200 b. The second device 200b may maintain the same state of the application accessed via the session provided by the first device on the second device upon receiving the application protocol data or the application session data or both. Thus, the first appliance 200a may cause or cause the second appliance 200b to maintain the state of the session in the memory of the second appliance 200b such that during the session, the state of the session in the memory of the second appliance 200b matches the state of the session in the memory of the first appliance 200a while the first appliance 200a is actively serving the client 102.

During a session established with the first appliance 200a via a client, the first appliance 200a may malfunction, become overloaded, be subject to a denial of service attack or virus, malfunction, perform maintenance or repair, lose power, or otherwise go offline or stop responding due to software or hardware failures. When the first device 200a goes offline, the connection established by or with the first device may be lost or reset. For example, a TCP connection established by the first appliance 200a with the client 102 may be reset. In the case where the first appliance 200a is offline, the second appliance 200b may automatically resume the session using the current state of the session maintained by the first appliance 200a before the first appliance 200a is offline. For example, a first device 200a may initially be configured as a master device 200a and a second device 200b may be configured as a slave device 200 b. When the first device 200a goes offline, the second device 200b may become the new master device and establish a new connection with the client 102 to resume the session.

In some embodiments, the monitor 710b of the second device 200b may poll the first device 200a to determine the status of the first device 200 a. The monitor 710b may poll the first device 200a based on a time interval or in response to an event, condition, or trigger. In some embodiments, monitor 710b may maintain an active connection with first device 200a, such that when first device 200a goes offline, monitor 710b may detect a loss of connection or a reset with the first device. Thus, in some embodiments, device pair 740 may resume the session using the active-standby pair of intermediary 200a-b without using interface 705, because the active-standby pair may be configured such that the master receives the packet and actively services the client, the master retransmits the packet to the slave to maintain the state of the session on the second device, and the slave automatically becomes the new master in response to it determining that the old master is offline.

In some embodiments, the interface 705 may maintain active connections with the first apparatus 200a and the second apparatus 200b and determine when an apparatus goes offline based on the lost connections. In response to detecting, determining, or identifying that the first apparatus 200a is offline, the interface 705 may send a signal to the second apparatus 200b indicating that the first apparatus 200a is offline. In some embodiments, the interface 705 sends a signal to the second device 200b to indicate that the second device 200b becomes the new master device 200 b. The signal may also indicate that the second device 200b enters an active mode in which the second device 200b, which becomes the new master device 200b, is actively servicing the client 102.

For example, in some embodiments, the client agent 120a may initiate a session reconnection when the first appliance 200a goes offline and the connection between the first appliance 200a and the client 102 is lost. The interface 705 may receive a session reconnection request initiated by the client agent 120a and forward the session reconnection to the second device 200b because the second device 200b is the new master device 200 b. The second device 200b may seamlessly resume the session with the client 102 using state information maintained in memory in the session data structure 725b of the second device 200 b. Because the second device 200b maintains current state information just prior to the first device 200a going offline, the second device 200b can resume the session with the client 102 without the user of the client device 102 having to log into the session again. Thus, the user of the client 102 may not realize that the first appliance 200a has gone offline, because the client agent 120a may automatically initiate a session reconnection, and the second appliance 200b may seamlessly resume the session using the same state as previously maintained on the first appliance 200 a. Seamlessly resuming the session may refer to resuming the session using the same state that matches the state of the session on the first device 200a before the first device goes offline. In some embodiments, seamlessly resuming the session may refer to resuming the session without requiring the user to re-log in to the session. In some embodiments, seamlessly resuming the session may refer to resuming the session without receiving a session reconnection request.

In some embodiments, seamlessly resuming the session may refer to the second appliance 200b processing the last packet received by the first appliance 200a but not completely parsed and processed by the first appliance 200a (e.g., by the packet engine 715a) due to the first appliance failing in processing the packet. Fully parsing and processing the application protocol data may include updating state information based on the application protocol data and forwarding the application protocol data to the corresponding server 106 that provides the requested resource or application. In some cases, the first device 200a may retransmit the packet to the second device 200b before parsing or processing the packet. In some cases, the first device 200a (e.g., via the monitor 710a) may retransmit the packet to the second device 200b in parallel while the packet engine 715a parses and processes the packet. Thus, the packet engine 715a may process the packet while the monitor 710a concurrently retransmits the packet to the second device 200b to cause the second device 200b to maintain a session state in the memory of the second device 200b to match the session state of the session in the memory of the first device that is actively serving the client.

In some embodiments, monitor 710a may determine that the second device is not in a ready state. The monitor 710a may set the parameter of the session to a second value to indicate to the first device 200a not to forward the application protocol data and the application session metadata to the second device. For example, monitor 710a may set the value of the parameter to a deactivated state to mark the session with the deactivated state. Thus, in response to marking the session as inactive via the second value of the parameter, the first device 710a may not forward the application protocol data and the application session metadata of the second packet of the session received from the client 102. Monitor 710a may store an indication in data repository 720a (e.g., in parameter data structure 735 a) that one or more packets have been parsed or processed by first device 200a but have not been forwarded or retransmitted to second device 200b because the session state was marked as inactive (because second device 200b is in an not ready state).

After marking the session as inactive in response to determining that the second appliance 200a is in the not-ready state, the monitor 710a may determine or detect that the second device is now in the ready state. For example, the second apparatus 200a may have been serviced or repaired or otherwise brought online (e.g., after reset). Monitor 710a may access parameter data structure 735a to update, set, modify, or change the value of a parameter to indicate that the session is in an updated state. The monitor 710a may also determine from the parameter data structure 735a that one or more packets have not been forwarded or retransmitted to the second device 200 b. Monitor 710a may then determine that the session state on second device 200b is out-of-date. The monitor 710a may then determine to push, forward, transmit, or otherwise provide state information to the second device 200b to allow the second device 200b to update the session state stored in the memory of the second device 200b such that the session state matches the state of the session in the memory of the first device 200 a. For example, monitor 710a may push or provide the complete session state information to second device 200 b. The complete session state may include application protocol data and application session metadata for one or more packets that are not forwarded to the second apparatus. The second device may update the state stored in the memory of the second device with the complete session state to match the current session state maintained on the first device. In some embodiments, monitor 710a determines or identifies data that has not been retransmitted to second device 200b and pushes the corresponding data to second device 200 b. In some embodiments, the first device 200a determines an incremental status between the first device and the second device and pushes the incremental status information to the second device 200 b. In some embodiments, the first device 200a sends a request to the second device 200b to identify the latest state information stored on the second device 200 b.

Referring now to FIG. 7B, a block diagram of an embodiment of a method of maintaining a session is shown. Method 750 may be performed using one or more of the systems or components described in fig. 1-7A. Briefly, in some embodiments, method 750 includes receiving, at a first device intermediary to a plurality of clients and a plurality of servers, a session packet containing application data at step 752. In step 754, the first device determines that the second device is in a ready state. In step 756, the first device marks the session state of the session as an updated state. At step 758, in response to determining that the second device is in the ready state and the session state is in the updated state, the first device forwards the application data to the second device to cause the second device to maintain the same state on the second device as the session maintained on the first device.

Still referring to fig. 7B, and in more detail, at step 752, a first device intermediary to a plurality of clients and a plurality of servers receives a packet of a session, the packet including application data. The first device may be a first device in an intermediate device active-standby pair that includes the first device and a second device. The first device may be an active device that is actively servicing client requests. The second device may be a standby device. Thus, the first device may be a master device that is actively serving the client, while the second device may be a slave device in a standby mode. The first device may receive a packet for a session, the packet including application protocol data and application session metadata for maintaining a state of an application accessed via the session.

For example, the first device may receive an indication from the client device or a proxy of the client device to launch an application provided by the application server. The first device may initiate a connection to an application server configured to execute the application in response to an indication from the client device. For example, an application server may be configured with the application and with appropriate computing and storage resources to execute the application and deliver the application to the client device via the first intermediary device. The first device may receive login information from the client and, in response to receiving the login information from the client, use the login information to establish a session between the client device and a server of the plurality of servers. For example, the first device may be configured to facilitate or perform an authentication or authorization process using credentials such as a username, password, biometric information, fingerprint, security code, dynamic code, text-based code, audio tone, or multi-factor authentication. Accordingly, the first device may establish a session between the client and the server to provide access to an application executed by the server.

In step 754, the first device determines that the second device is in a ready state and the session state of the session is in an updated state. The first device may determine that a second device intermediary to the client and the plurality of servers is in a ready state and a session state of the session is in an updated state. For example, a first device may interrogate a second device to determine a device status of the second device. The first device may interrogate the second device to determine whether the second device is in a ready state or an not ready state. The ready state may indicate that the second device is ready to parse the application protocol data and the application session metadata to maintain the same state of the application accessed via the session provided by the first device in a memory of the second device.

In some embodiments, the second device may present or provide a status indicator indicating a status or state (such as a ready state or an not ready state) of the second device. In some embodiments, the first device may maintain an active connection with the second device, and may determine that the second device is in a ready state as long as the connection is active and online. In some embodiments, the first device may analyze performance characteristics associated with the connection to determine whether the second device is in a ready state. For example, the first device may use a handshake protocol to identify the number of lost packets, delays, or response times associated with the connection with the second device. The first device may determine that the second device is not in the ready state if the response time of the second device is below a threshold (e.g., 1 second, 2 seconds, 5 seconds, 10 seconds, 0.5 seconds, 0.1 seconds, or 1 minute). The first device may determine that the second device is not in the ready state if the number of packets dropped by the second device is above a threshold (e.g., 5, 10, 25, 50, 100, 3, or 2).

In step 756, the first device marks the session state of the session as an updated state. For example, in response to the first device determining that the second device is in the ready state, the first device may mark the session state of the session as an updated state. The update status may indicate or inform the first device to forward the application protocol data and the application session metadata to the second device while it is actively serving the client to cause, or allow the second device to maintain the state of the session or application in a memory of the second device. For example, the first apparatus may set a parameter of the session to a first value that instructs the first apparatus to forward application protocol data and application session metadata to the second apparatus in response to determining that the second apparatus is in a ready state. The first value may comprise, for example, an update status.

At step 758, in response to determining that the second apparatus is in the ready state and the session state is in the updated state, the first device forwards the application data to the second device to cause the second device to maintain the same state of the session maintained on the first device on the second device. The first device may forward the application protocol data and the application session metadata of the packet to the second device in response to determining that the second device is in the ready state and the session is in the updated state. The first device may forward the data in response to the first value of the parameter. The second device may use the application protocol data and the application session metadata to maintain the same state of the application accessed via the session provided by the first device.

For example, a first device parses packets during at least a portion of a session to actively serve a client, while a second device maintains in a memory of the second device a state of an application accessed via the session provided by the first device while the first device is actively serving the client. In this configuration, the second device may be configured in a standby mode while the first device may be configured in an active mode.

In some embodiments, the first device may enter an offline mode in which the first device cannot or will not actively provide service to the client. The first device may not provide the client with access to the application. When the first device enters the offline mode, the first device may reset, lose, or disconnect one or more connections, including, for example, a connection with the client device. In response to the first device entering the offline mode, the mode of the second device may be changed from standby to active, and the second device may become the new master. The new master device (or second device) may resume the session on the second device. For example, the second device (or the new master) may retrieve the state of the session or application from a session data structure in memory of the second device and process packets received from the client device using the current state of the session. The session state retrieved from the memory of the second device may match the session state in the memory of the first device before the first device enters the offline mode.

In some embodiments, a client agent executed by the client device determines that a first connection between the client device and the first device has terminated or ended. In response to determining that the client agent has disconnected from the first device, the client agent may initiate a session reconnection procedure. The client agent may send a request to reconnect or reestablish the session. Since the first device is offline and no longer the master, the new master (or second device) may receive the session reconnection request and establish a second connection to reestablish the session using the latest state information maintained in the memory of the second device. In some embodiments, because the second device may retrieve the current state information from the memory of the second device, the second device may resume the session if the second device does not receive login information from the client. By storing and maintaining state information in the memory of the second device, the second device can seamlessly, automatically, and efficiently resume the session.

In some embodiments, the first device may determine that the second device is no longer in the ready state at some point during the session. The first device may then update the flag for the session by setting a parameter of the session to a second value, such as a deactivated state. The second value or deactivated state may indicate to the first apparatus not to forward the application protocol data and the application session metadata to the second apparatus. The first device may determine not to forward the application protocol data and application session metadata of the second packet of the session received from the client as long as the session is marked as being in the inactive state.

During the session, and after marking the session as a deactivated state and determining not to forward the application protocol data and application session metadata of the second packet, the first device may detect that the second device is back in a ready state. For example, the second device may send a signal or indication to the first device indicating that the second device is back in a ready state. The second device may send a signal in response to returning to the ready state. In some cases, the first device may poll or monitor the second device based on a time interval. The first device may detect that the second device is returning to the ready state by polling or monitoring the second device. Polling or monitoring the device may include sending a ping or query to determine whether a connection exists or to determine the status of a connection or the status of a device.

Upon determining that the second device is in the ready state, the first device may return a parameter to a first value to indicate that the session is back to the update state. In response to the session being in the updated state, the first device may provide the complete session state to the second device. The complete session state may include application protocol data and application session metadata for the second packet that is not forwarded to the second device. The first device may provide the complete session state to the second device and may cause the second device to update the state stored in the memory of the second device with the complete session state to match the current session state maintained on the first device.

In some embodiments, the session state may be set to an updated state or a deactivated state based on the device state of the second device. For example, if the second device is in a ready state, the session state may be set to an updated state. In some embodiments, the session state may be set to an update state or a deactivate state independently of the device state of the slave device. For example, the session state may be set to an updated state or a deactivated state in response to configuration parameters associated with the session, the client device, the application protocol, or a configuration set by an administrator of the first device. For example, the predetermined configuration of the session, the type of network, the type of computing device, or the type of application may correspond to an update state or a disable state. For example, an entity may charge a higher fee for a session in an updated state due to the additional functionality of seamlessly resuming the session. Accordingly, if the customer does not want a higher level of service, the administrator of the first device may configure the session state to a deactivated state so that the second device does not maintain the session state even though the second device is in a ready state. Thus, if the session state is in the update state and the device state of the second device is in the ready state, the first device may forward the application protocol data and the application session data to the second device.

Referring now to fig. 8A, a flow diagram 800 of an embodiment of maintaining a session via an intermediary (or a pair of devices comprising a first intermediary and a second intermediary) is shown. This process 800 may be performed by one or more of the components or systems described in fig. 1-7A. At step 805, the master device in the active-standby intermediary pair receives a request for a new protocol connection, such as a stateful application protocol connection, from the client device. At 810, the master device may determine whether a slave device in an active-standby intermediary pair is in a ready state. If the slave is in the ready state (indicated by 815 "yes"), the master may mark the session as an updated state at step 820. The master device may also forward application data received from the client to the slave device. The application data may include application protocol data and application session metadata. The master device may also process and forward application protocol data to a server corresponding to the request received from the client device. However, if the master determines that the slave is not in the ready state (indicated by 825 "no"), the master may mark the session as inactive. The master device may then proceed to process and forward the application protocol data to the server corresponding to the request received from the client.

Referring now to fig. 8B, a flow diagram 801 of an embodiment of maintaining a session via an intermediary (or a pair of devices comprising a first intermediary and a second intermediary) is shown. This process 801 may be performed by one or more of the components or systems described in fig. 1-7A. At step 835, the master device may receive application protocol data. At 840, the master device may determine whether the session state is in an updated state or a deactivated state. If the session is in an update state (indicated by "yes" 845), the master may determine whether the slave is in a ready state at step 850. If the master determines that the slave is in the ready state (indicated by 855 "yes"), the master may forward application data (e.g., application protocol data or application session metadata) to the slave at step 860. The master device may also process and forward the protocol data 835 to the corresponding server at step 860.

If the master determines that the slave is not in the ready state (indicated by no 865), the master may mark the session as disabled at step 870. The master device may also process and forward the protocol data 835 to the corresponding server at step 870. Thus, the master may actively provide service to the client regardless of whether the slave is in a ready state.

If the master determines that the session is not in an updated state (indicated by 875 "no"), the master may determine whether the slave is in a ready state at step 880. If the master determines that the slave is in the ready state (indicated by 885 "yes"), the master may mark the session as an updated state at step 890. For example, at 890, the master device may change the flag for the session from a deactivated state to an updated state. The master device may also push the full session state to the slave device at step 890. If the slave is in the ready state (indicated by 885 "yes"), the master may also forward the application data to the slave at step 895. After the master pushes the complete session state to the slave at step 890, the master may forward the application data to the slave at step 895. For example, the master device may first keep the slave device in the most current state and then forward the new application protocol data 835 at step 895 to enable the slave device to maintain the session state in the slave device's memory.

If the master determines that the slave is not in a ready state (indicated by 896 no), the master may proceed to process and forward application protocol data 835 to the corresponding server.

It should be understood that the system described above may provide any or each of these components and that these components may be provided on separate machines or, in some embodiments, on multiple machines in a distributed system. The systems and methods described above may be implemented as a method, apparatus or article of manufacture using programming and/or engineering techniques to provide software, firmware, hardware, or any combination thereof. Further, the systems and methods described above may be provided as one or more computer readable programs embodied on or in one or more articles of manufacture. The term "article of manufacture" as used herein is intended to encompass code or logic accessible from or embedded in one or more computer-readable devices, firmware, programmable logic, memory devices (e.g., EEPROM, ROM, PROM, RAM, SRAM, etc.), hardware (e.g., an integrated circuit chip, Field Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC), etc.), electronic devices, a computer-readable non-volatile memory unit (e.g., CD-ROM, floppy disk, hard disk, etc.). The article of manufacture may be accessible from a file server that provides access to the computer readable program via a network transmission line, wireless transmission media, signals propagating through space, radio waves, infrared signals, etc. The product may be a flash memory card or a magnetic tape. The article of manufacture includes hardware logic and software or programmable code embedded in a computer readable medium for execution by a processor. Generally, the computer readable program may be implemented in any programming language, such as LISP, PERL, C + +, C #, PROLOG, or any bytecode language such as JAVA. A software program may be stored on or in one or more articles of manufacture as object code.

References to "or" may be construed as inclusive such that any term described using "or" may indicate a single, more than one, or all of the described terms.

While various embodiments of the method and system have been described, these embodiments are exemplary and do not in any way limit the scope of the method and system. Workers skilled in the relevant art will recognize that changes may be made in form and detail of the described methods and systems without departing from the broadest scope of the described methods and systems. Thus, the scope of the methods and systems described herein should not be limited by these exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims

1. A method, comprising:

receiving, by the computing device, protocol data from a second device based at least on the computing device being in a ready state, the second device being in communication with the client device and the protocol data being for maintaining a state of a session provided by the second device to the client device to service the client device;

maintaining, by the computing device, a state of an application accessed via a session provided by the second device to the client device;

Establishing, by the computing device, a connection with the client device in response to a loss of the connection established with the client device by the second device; and

restoring, by the computing device, the session using the state of the application maintained in the memory of the computing device after establishing the connection of the client device with the computing device.

2. The method of claim 1, wherein the protocol data is forwarded from the second device such that a state of the application maintained by the computing device is the same as a state of an application accessed via a session provided by the second device to the client device.

3. The method of claim 1, further comprising receiving, by the computing device, protocol data from a second device in response to a parameter value for a session indicating that a state of the session is in an updated state.

4. The method of claim 1, wherein the computing device and the second device are intermediary devices between the client device and a third device that provides the client device with access to the application.

5. The method of claim 1, further comprising receiving, by the computing device, the protocol data from the second device in response to the parameter value for the session indicating that the second device forwarded the protocol data to the computing device in response to determining that the computing device is in the ready state.

6. The method of claim 1, wherein the computing device is no longer in a ready state and a parameter of a session is set to a second value to indicate that a second device is not to forward protocol data to the computing device.

7. The method of claim 6, wherein the computing device is not to forward the protocol data in response to the parameter for the session being set to the second value.

8. An intermediary device, comprising:

a memory; and

one or more processors coupled to the memory configured to:

receiving a packet from a client device over a protocol configured to provide the client device with access to an application;

determining that the computing device is in a ready state indicating that the computing device is capable of parsing packets to maintain a state of a session with the client device in a data structure of the computing device, wherein the state of the session saved in the data structure of the computing device matches the state of the session saved by the intermediary device; and

the received packets are provided to a computing device such that the computing device parses the same packets as the intermediary device to maintain the same session state at both the intermediary device and the computing device.

9. An intermediary device according to claim 8, wherein the packets are provided to the computing device such that information of the packets received by the computing device is the same as packet information used by the intermediary device to enable the computing device to take over the session.

10. The intermediary of claim 8, wherein the session is an independent computing architecture session.

11. The intermediary device of claim 8, wherein the one or more processors are further configured to set the session parameter to a value that instructs the intermediary device to forward the packet to the computing device in response to identifying that the computing device is in the ready state.

12. The intermediary device of claim 11, wherein the one or more processors are further configured to determine that the computing device is no longer in a ready state.

13. The intermediary device of claim 12, wherein the one or more processors are further configured to set the session parameter to a second value that instructs the intermediary device not to forward the packet to the computing device in response to the computing device no longer being in the ready state.

14. The intermediary device of claim 13, wherein the one or more processors are further configured to determine not to forward the packet to the computing device in response to the session parameter being set to the second value.

15. A computing device, comprising:

one or more processors coupled to the memory, configured to:

receiving protocol data from a second device in communication with the client device based at least on the computing device being in a ready state, the protocol data for maintaining a state of a session provided by the second device to the client device to service the client device;

maintaining a state of an application accessed via a session provided by the second device to the client device;

establishing a connection with the client device in response to a loss of the connection established by the second device with the client device; and

after establishing the connection of the client device with the computing device, the session is resumed using the state of the application maintained in the memory of the computing device.

16. The computing device of claim 15, wherein the protocol data is forwarded from the second device such that a state of the application maintained by the computing device is the same as a state of the application accessed via a session provided by the second device to the client device.

17. The computing device of claim 15, wherein the computing device and the second device are intermediary devices between the client device and a third device that provides the client device with access to the application.

18. The computing device of claim 15, wherein the one or more processors are further configured to receive protocol data from the second device in response to the parameter value of the session indicating forwarding of the protocol data to the computing device in response to determining that the computing device is in the ready state.

19. The computing device of claim 18, wherein the computing device is no longer in a ready state and a parameter of a session is set to a second value to indicate that a second device is not to forward protocol data to the computing device.

20. The computing device of claim 19, wherein the computing device is not to forward protocol data from the second device in response to the parameter of the session being set to the second value.